?
Solved

Please, could someone explain to me how I should configure DNS internally to access a web site via the internet ?

Posted on 2009-02-10
23
Medium Priority
?
670 Views
Last Modified: 2012-05-06
I have created a new web site, which I can browse to internally, I have added the site to internal DNS as a 'A' record.  I have registered the web site, sitea.co.uk with a DNS company against the company's external IP address.  Please, could someone explain to me what record should I add to DNS internally so that when www.sitea.co.uk is browsed to it makes its way to the web server.
0
Comment
Question by:CaussyR
  • 8
  • 6
  • 4
  • +2
23 Comments
 
LVL 3

Expert Comment

by:orkinoks
ID: 23599308
Do you have two IP addresses in your web server? The internal dns A record seems to be enough, you should forward your domain to the IP addresses of your web server with changing their nameservers.Refer to the website of the domain provider for nameserver creation. The nameservers should be registered with the IP addresses of your web server and the nameservers for the domain must be set as these nameservers.

If your web server has only one IP, you should set your domains nameservers to a dns or hosting provider and add an A record to that server, which is saved as your web server IP address.

Wish it helps.
0
 

Author Comment

by:CaussyR
ID: 23600251
I have a single internet facing IP address and an internal IP address for the server which I have configured a host header for the test site.  The external registered site is sitea.co.uk (86.28.18.19) but internally the site sits on 172.22.23.9.  

Do I need to add an 'A' host address to www.sitea.co.uk with the internal address ? (Apologies for this DNS is not my thing.. :o(  )
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23600677
I believe you would need to add the domain to your DNS as a managed domain if you want to configure a different IP address for the same name and not have it in the "live" DNS.

If you just add an A record ... this MIGHT work but in reality the FQDN of that would be www.sitea.co.uk.<internal domain>.  I've never tried this so I don't know if this would work or not.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 3

Expert Comment

by:orkinoks
ID: 23610416
If  the device with 86.28.18.19 IP address has a routing function, you should route your external 80 port to the internal (172.22.23.9) 80 port.This will make sure that the device, (modem,router,switch what ever) will route the http requests coming from the internet to the IP in internal server.Refer to the manual of your device or tell us about your modem, router etc.

There is nothing to do with dns as far as I understand.
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23611722
I just assumed that the reference to the external IP was on the same machine.
Is the external IP on the machine or is that on the firewall and then the firewall forwards the requests on to the server?

If the site is not working for the internal clients it is most likely due to the host header and the fact that the DNS lookup is finding the external IP reference and your firewall is not allowing internal clients to access its external IP.

So, you can either add the domain to your internal DNS (create a enw primary domain) so that you can over ride the server IP and add your internal server IP reference.  See if you can find a work aournd for your firewall.  Or you could create a second virtual site and point it to the same location as the main site and not configure the host header on it.  You could also try adding the machine name as I identified (the external FQDN) to your internal DNS and see if this resolves the problem also.

Sorry, I don't have any servers available to test this on.
0
 

Author Comment

by:CaussyR
ID: 23613710
The external address, 86.28.18.19, is the firewall which NATs to 192.168.254.xx The web site is hosted on Server1, which is on an internal address of 172.22.23.xx. I can see the site fine internally but externally it seems to resolve to the SBS 2008 remote web workplace. I am running SBS 2008, and i wondered if that might be an issue ??
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23613797
If the external IP is Nat'ing to 192.168.254.xx ... how is it communicating to the 172.22.23.xx subnet?  This would require routing.  This would be fine if this the 192 range is a DMZ LAN and the server that was being talked to was in the DMZ ... but you are trying to get the external to talk to a server on your main LAN ... this is going to take configuring your firewall to proxy or forward the requests received on port 80 and to the web server's IP.

Again, this could be done while NAT'ing to a 192 subnet but would then require additional routing to be anabled to allow commuication between that subnet and the 172 subnet ... and chances are your firewall will not do routing.  If this is a DMZ configuration on the firewall for this subnet then you would also probably have to set up explicit rules to allow communication to originate from the DMZ to your LAN ... this typically is not allowed.
0
 
LVL 2

Expert Comment

by:Italia_NYC
ID: 23613835
From what it sounds like to me mate; this has nothing to do with DNS. Sounds like you have an IP Natting/Routing issue.

Does your organization have only one Public IP address? Or do you have many?

Provided you have your DNS records setup correctly on the outside; when someone on the outside enters in www.sitea.co.uk in their browser it should go to 86.28.18.19.

You are saying that outside Public address is your firewall and that it is being mapped to 192.168.254.x? This clearly will not work for you and explains why it isnt.

You need to statically map a Public IP address to 172.22.23.9 and open the appropriate ports (tcp 80) to it.

What you need to determine next is, is your firewall PATing (everyone inside shares ONE Public IP address), or NATing (all users inside have their own Public IP address).

Also, what brand/make firewall are you using?
0
 

Author Comment

by:CaussyR
ID: 23625808
The firewall we use is a WatchGuard x500, quite old... I have 1 external ip address, 86.28.18.19.
At the moment I have created a web site using host headers, the internal LAN is 172.22.23.9, the to gain access to the firewall this then has to go through the second NIC on the 192 address. As suggested, it maybe a routing issue, how do I get an external IP address coming from the external 86.28.18.19 which NATs back to 192.169.254.xx, then to the IIS server on 172.22.23.9 ?
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23625867
If you have NAT translating to the 192 subnet then your best bet would be to add a second Ip address to the server.
Just add a 192 IP address to the same NIC as the 172 is on.  This should allow communication to the server and restrict incoming access from anything else on the LAN (basically a DMZ setup, you are just binding the DMZ IP address to the same NIC as the LAN address is on.
0
 
LVL 2

Expert Comment

by:Italia_NYC
ID: 23625914
I don't know anything about WatchGuard firewalls; but essentially, you need to open port 80 on it and map 172.22.23.9 to it. If your firewall can ping/access the web server, you should be done.
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23625936
Assuming the firewall will let you forward to your LAN then yes, this would be the easiest way to accomplish this
0
 

Author Comment

by:CaussyR
ID: 23631372
I have drew up a topology so you can all get an idea of how the traffic flows, see attached file.

A user will brosed to www.sitea.co.uk (86.28.18.19) this gets NATed through the firewall to 192.168.254.89 (NIC1) which is a NIC on the SBS 2008 server. All users use the SBS 2008 server as a gateway on the internal IP address of 172.22.23.1 (NIC2).  The www.sitea.co.uk site on the DEV server (172.22.23.9).

What I can not seenm to do is browse from the internet to 172.22.23.9. When I brose to the site i am prompted for a login, which is coming from SBS 2008, so the external DNS is correct, I'm not sure about internal DNS or routing, this is where I need help to understand to set up.
LAN.bmp
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23635937
If you are NAT's requests through your firewall without using a VPN then this is a big whole in your firewall.
what you should be doing is forwarding the port requests for the Internet address on port 80 to the SBS server on port 80.  This isolates your traffic so that no other ports can get onto/through your firewall so that your server cannot be breached.

That said ... under your current configuration ... what is the SBS server?
Is it running a web server?  If not then you need to enable the forwarding of port 80 on the SBS server to the DEV server you want to talk to ... see this page for the configuration commands for this ... http://www.tek-tips.com/viewthread.cfm?qid=1253318&page=1

If SBS is running a web server then you would need to pick a different port for the web server's external access i.e. port 8090 ... you can then forward requests to this port to the SBS server on the same port and then set up forwarding on the SBS server for this port to go to port 80 on the DEV server.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 23641817
Why do you have a second NIC on your SBS?  That really isn't necessary.

If your WatchGuard will handle VLAN's, then assuming that you only want your web server to be using port 80,  you should just configure the WatchGuard to handle this.  (You might need to upgrade to the latest firmware).

You would then just need to add a Forward Lookup Zone in the SBS's DNS for www.sitea.co.uk that points to 172.22.23.9.  The WatchGuard will then route this to the correct server.

Jeff
TechSoEasy
0
 

Author Comment

by:CaussyR
ID: 23649980
The second NIC is historic. which is configured to go to the internet. and thwe other is internal.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 23655364
But it's not doing that now... so get rid of it.

Jeff
TechSoEasy
0
 
LVL 2

Expert Comment

by:Italia_NYC
ID: 23655379
I agree with Tech. Your network seems overly convulted for your needs. Anything you can do to simplify will only make your life easier.
0
 
LVL 22

Expert Comment

by:cj_1969
ID: 23670735
If the diagram is correct then there is no redundance or extraneous NICs.
According to the diagram the 192 interface is the only connection to one switch and the 172 is the only connection to the internal LAN.

So, is the diagram correct?  If you have 2 interfaces connected the way they are indicated then you HAVE to do the forwarding of the requests through the SBS server.

If the diagram is wrong then can you provide an updated diagram so that we can see and know what we are working with ... if the SBS server and internal server are on the same switch and subnet then this changes the recommendation and configuration.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 23678229
Of course you would need to configure routing within the SBS if the network is configured the way it shows in the diagram.  But keeping that configuration seems totally unnecessary and should be simplified if possible.

Jeff
TechSoEasy
0
 

Author Comment

by:CaussyR
ID: 23679710
Hi Jeff, the diagram is correct, therefore do I need to configure the Routing and Remote access on the SBS server and if so how to I manage a route to 172.22.23.9 from the firewall on address 192.xx.xx.xx ?
0
 
LVL 22

Accepted Solution

by:
cj_1969 earned 1500 total points
ID: 23681199
Segregating your LAN from the DMZ, which is essentially what you have done is not a bad thing.  There is an extra layer of routing involved and you are putting that routing load on the SBS server but again, its not a bad thing, it is a trade off in regards to security ... you have to make that determination.

Check out the link I provided ... http://www.tek-tips.com/viewthread.cfm?qid=1253318&page=1
This steps you through configuring the routing that you need to implement on the SBS server.

Just to verify ... are you actually NATing through your firewall or forwarding the packets requests just for port 80?
I guess NATing is not a bad thing if it is only packets on port 80.  Typically you would just set up a forwarding of the packets from the firewall to an internal server for a specific port to allow access to an internal resource.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 23696546
I really wouldn't have what is essentially a DMZ routed directly into my SBS if I were you.  RAS is not a very secure firewall, and to have a publicly accessible web server routed through it would not be a good idea in my opinion, especially since you can avoid doing it quite easily.

It really would be better to have that routing be handled by your firewall/router device.

Jeff
TechSoEasy
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question