Solved

Second webserver

Posted on 2009-05-19
17
215 Views
Last Modified: 2012-05-07
I just added my backup server to my internal SBS domain that handles my mail, RWW, and network. My backup server needs port 80 and 443 so I had to configure my Sonicwall tz170 to do a One-to-one nat for my second IP to my backup server. How ever something is wrong internally. I can't go to the private address on another computer in the domain. I can get to my website if I type the address in the backup server.
Backup server 192.168.10.50
I can type 192.168.10.50 in the browser on the backup server and get the webpage, just not on another computer in the network. Is that a firewall setting or a server setting?
Do I need to add anything to my SBS2008 server?
I changed the A record at my hosting site to point backup.mycompany.com to the new Static IP.
my other A records like mail and remote all point to my other static IP of my router.
0
Comment
Question by:calitech
  • 9
  • 6
  • 2
17 Comments
 
LVL 10

Expert Comment

by:PlusIT
ID: 24427240
to clear things up a bit could you answer following questions please:

what is the ip and netmask of the server and the backup server?
what is the ip and netmask of a client you are failing the test from?
can you ping the ip of the backup system from the client?
0
 

Author Comment

by:calitech
ID: 24427313
Backup server 192.168.10.50 255.255.255.0
internal client that fails 192.168.10.162 255.255.255.0
I can \\192.168.10.50 and browse shared folders and files form the client computer.
The backup server was working when it was outside of the network on a different static IP.
It has to be something with SBS2008 and its internal webstuff? because they both use port 80?


0
 

Author Comment

by:calitech
ID: 24427329
when I am outside of the network and try backup.mydomain.com I get the IIS7 welcome page.
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 24427421
aha so your backup server is actually software installed on the SBS2008 machine, i had the impression it was a second physical machine.  If that is the case then yes IIS is listening on port 80 also.  What backup software are you using, there must be a way to rebind the port in your backup software.  I wouldn't rebind the IIS port as you probably will break things that way and make it more complicated.
0
 

Author Comment

by:calitech
ID: 24428449
no the backup server is a second physical machine.
I am using Ashay. I have found were I can change the port 80 and 443 for the server, but it never worked. Do I need to do anything in IIS?
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24429777
Note that unlike other protocols, HTTP cannot work identically when you give it an IP address to when you give it a site name, this is because the site name you type into the browser is *passed* to the server as part of the request. Without this, you wouldn't be able to run multiple websites on one server. But because of this, you *normally* have a "default" site which comes up when you access the server by number only and there's no site name in the request. And if there *is* only one site on the server then this I would expect to be the "default" site, but yo umigth want to make sure that it *is*.

Otherwise, I think you need to check the logs on the backup server and see what it records, if anything, when you attempt to access it. Run TCPMon (sysinternals) on it and see if it even spots when someone tries to connect to it. Can you connect to the backup server using other protocols, e.g. SMB, SMTP, POP, FTP, etc.? (Depends what you're running on it of course.)



I think this pretty clearly is NOT a firewall problem - once you're sure you can access the backup server from the LAN whenever you want then you can worry about getting it working through the firewall. But if you can't access it from the LAN side... :(

Can the backup server access the internet?

Can the backup server brows the "main" server?

0
 
LVL 10

Expert Comment

by:PlusIT
ID: 24430698
hi ccomley, i think the backup software running on port 80 and IIS are two seperate deamons from what i understand from calitech, so virtual hosts wont solve the problem.

calitech if it's not the case please let us know
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24431763
I understood it to be a different *machine* but even so, the base problem applies - if there is no "default" site then trying to access the web server (whatever it is) via IP address alone will fail.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:calitech
ID: 24432785
ok i can telnet to 192.168.10.50 25, 21, 110 but not 80 or 8009 which is the new port I configured for the backup application to listen on. I changed it back to 80 and still can't telnet.
So back to the default site. When this backup server was outside of this network it was on it's own. and I don't see IIS installed on this 2003 server. But now that it is attached to my SBS2008 domain, there must be something I have to do on the server to allow the 2008 server to Pass the information on to the Backup server. I joined the backup server to the domain. Do I need to do anything in DNS or IIS on the 2008 server?
0
 

Author Comment

by:calitech
ID: 24432985
Should there be a local address for the listening ports?

C:\Documents and Settings\Administrator.domainname>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1038           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1108           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8009           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:8443           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1048         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5800         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5900         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:8014         0.0.0.0:0              LISTENING
  TCP    192.168.10.50:139      0.0.0.0:0              LISTENING
  TCP    192.168.10.50:3389     192.168.10.11:4026     ESTABLISHED
  TCP    192.168.10.50:4139     69.12.210.201:5721     ESTABLISHED
  TCP    192.168.10.50:4224     192.168.10.5:135       ESTABLISHED
  TCP    192.168.10.50:4225     192.168.10.5:1031      ESTABLISHED
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1039           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:10000          *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1025         *:*
  UDP    127.0.0.1:1041         *:*
  UDP    127.0.0.1:1085         *:*
  UDP    127.0.0.1:1095         *:*
  UDP    127.0.0.1:1103         *:*
  UDP    127.0.0.1:1295         *:*
  UDP    127.0.0.1:2742         *:*
  UDP    127.0.0.1:4140         *:*
  UDP    192.168.10.50:123      *:*
  UDP    192.168.10.50:137      *:*
  UDP    192.168.10.50:138      *:*

C:\Documents and Settings\Administrator.domain>
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 24443731
as your netstat shows there's nothing running on port 80, there is however running something on 8009:

TCP    0.0.0.0:8009           0.0.0.0:0              LISTENING

from the localhost itself do you get a TCP connect while trying to telnet to localhost port 8009?  If you do check your server's local firewall policy's.
As it's listinening on address 0.0.0.0 it's bound to all ip's.

Btw ccomley you are saying that when there is no "default" site then trying to access the web server (whatever it is) via IP address alone will fail.  This is right but most deamons have a default vhost where undefined vhosts will switch those, most of the deamons from antivirus, backup software and so on are setup this way.


0
 

Author Comment

by:calitech
ID: 24444330
That is the port I am trying to connect to but I can't. I go to 192.168.10.50:8009 and I get nothing, but if I type that in on the Backup server I get the login page that is supose to come up.
That I why I think SBS 2008 is blocking it somehow.
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 24444377
you got me even more confused now, so you have your SBS server, a seperate backup server and a client?  So three machines?

If the connection is not working from the SBS server or the client and only on the backup server itself then it mostly is a firewall issue.

Check to make sure incoming connections to that port are allowed on the backup server
Make sure outgoing is allowed on the client and sbs server.  Disable your local firewall/antivirus software to test if they are blocking it.  I have never experienced an sbs server blocking an outgoing connection on that port on the lan by default.
0
 

Author Comment

by:calitech
ID: 24444813
Not a firewall issue because I have called support for my Sonicwall and they ran tests that show it going through.
Where in SBS 2008 can I disable the firewall for everyone. My client machine is greyed out because SBS is taking care of that.
0
 

Author Comment

by:calitech
ID: 24447038
Well I dis-joined the server from the domain and that seems to work. It would have been nice to have it on the same domain.
0
 
LVL 10

Accepted Solution

by:
PlusIT earned 500 total points
ID: 24450054
calitech: you got the solution right there then, if you join the backup server in the domain it's get the standard domain policy firewall rules.

You can change these rules in the default domain policy.  Or you could make a new ou in AD and apply a seperate policy there to open that port on the cbackup server soft firewall.  
0
 

Author Closing Comment

by:calitech
ID: 31583270
Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now