[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Running 2 SSL websites under Windows Server 2003 RRAS/NAT

Posted on 2010-01-04
10
Medium Priority
?
265 Views
Last Modified: 2012-05-08
I have a 2003 server that is set up to run both VPN and NAT.  It has a public facing NIC with 2 routable IP's (2nd one just added) and a private facing NIC with currently 3 private IP's.

I'm trying to run 2 SSL websites from this server.  Before I needed these sites to be SSL encrypted, I was able to run them off a single public IP address with host headering, but that obviously will not work anymore.

So now, I'm having trouble configuring NAT to allow external traffic to the 2nd website.  I have each of the websites bound to a separate internal IP.  I've tried adding the entire public subnet our ISP has assigned to the RRAS address pool, and then creating reservations for 2 of the public IP's to the 2 internal IP's the sites are running on.  Then under Services and Ports, I've created specific rules to map traffic received on those 2 address pool entries to the internal IP addresses they should be associated with.

So right now, the traffic that was flowing to the original public IP address on the external NIC is all working correctly, but I can't get any traffic to the 2nd public IP address??  What am I doing wrong??
0
Comment
Question by:bmenzel
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26172378
Have you configured the A record in your external DNS for thecsecond website to point to the second IP address instead of the first on?
0
 

Author Comment

by:bmenzel
ID: 26172444
Yes, I have the A record set correctly, but I can't access the IP address
0
 
LVL 8

Expert Comment

by:Maniac_47
ID: 26172458
you will also need to allow your firewall to pass SSL (443) traffic to the new IP address (internal).  That way, after you configure the NAT policy, you can pass any traffic where the destination is the second IP on port 443 to go to the second NIC's internal IP on the server, which would tell it to run off the second site.

Also check IIS and that second website and make sure that you have it set to only use the second public IP we're discussing here, as if it uses "all unassigned" it can lead to this behavior as well.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:bmenzel
ID: 26172493
The 2003 Server is acting as the firewall, and I have created the mappings in Services and Ports which as I understand it should open those ports to be listened to, as it's working for the original IP address.   I did make sure that I had each site specifically bound to a single internal IP address.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 26172532
Can you see the request for the IP address come into your firewall?
How long ago did you make the A record change?

If you open port 80 for that IP address and try and telnet to port 80 or 443 what happens?

Have you assigned the IP addresses to the websites in IIS?
0
 

Author Comment

by:bmenzel
ID: 26172697
I'm not seeing the requests for the IP address coming into the firewall.

The A record shouldn't really come into play even though it has had time to fully propagate, I'm trying to access the site directly via http://publicip, I'd be fine if that was throwing a certificate error, but it's just giving a page not found error.

My question really is about RRAS and NAT under Server 2003, the assigning of public IP's and private IP's under IIS as well as DNS are not my issue, I'm 100% certain.
0
 
LVL 8

Expert Comment

by:Maniac_47
ID: 26173016
Can you clarify your IP setup from the original post?  You'll need 1 public ip to be NATd to 1 private IP.  It sounds like you have multiple private IPs on one card and public IPs running off of another
0
 

Author Comment

by:bmenzel
ID: 26173130
Sure!!!

OK, so I have a public NIC with the IP's 207.x.x.228 and 207.x.x.250

Internally, there is a NIC with the IP's 10.x.x..160, 10.x.x.161 and 10.x.x.162

One website is bound to 10.x.x.161, the other is bound to 10.x.x.162

In RRAS, I have the entire 207.x.x.226 / 255.255.255.224 subnet added to the address pool.  All of those IP's are assigned to us by the ISP.  I have reservations set up in the address pool for 207.x.x.228 -> 10.x.x.161 and 207.x.x.250 -> 10.x.x.162, both with incoming requests allowed.

Under Services and Ports in he NAT/Basic Firewall -> WAN-VPN NIC properties, I have custom entries, for example, 250 HTTP which says On this address pool entry 207.x.x.250, Protocol TCP, Incoming Port 80, Private Address 10.x.x.162, Outgoing Port 80.

I have also set up the corresponding entry for port 443, as well 2 more entries for those ports but on 207.x.x.228

I can access the site running publicly on the 228 IP, but not the 250
0
 
LVL 37

Accepted Solution

by:
meverest earned 750 total points
ID: 26175395
can you get a ping reply from 207.x.x.250?  What does traceroute (tracert at cmd shell) tell you?

Cheers.
0
 

Author Closing Comment

by:bmenzel
ID: 31672461
The problem actually sort of solved itself with a switch restart, it had been routing data to the 250 IP to another server that had been listening on that port previously.  I guess it cached the route and didn't switch the packets over when the initial server stopped listening on 250 and this one started.  The tracert command, which I really should have done myself first was helpful, thank you.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question