[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Port Forward using Server 2008 Windows Firewall

Posted on 2010-01-08
17
Medium Priority
?
1,117 Views
Last Modified: 2012-05-08
I have a server (Windows Server Standard 2008) running IIS and Tomcat. I do have 2 public IPs assigned to the same network card, and if necessary can add a 2nd Netword card to split the 2 IPs onto 2 physically seperate hardware ethernets.

At present Windows Firewall is open on port 80, and 8080.

What I would like to do is forward External_IP-1:80 to Internal_IP-1:80 and External_IP-2:80 to Internal_IP-2:8080 using the settings in the standard Windows Firewall that ships with Server 2008.

Is this possible? If so how do I do it?

I have tried various settings in the INBOUND RULES without success.

Thanks
0
Comment
Question by:Bird757
  • 8
  • 7
  • 2
17 Comments
 
LVL 3

Expert Comment

by:Kyosh
ID: 26208652
You want to forward ports from a server to the same server?
Could you elaborate on the reasons for wanting this?
0
 
LVL 14

Expert Comment

by:MCSA2003
ID: 26208672
You can open up the ports on the firewall by creating a new rule. What type of firewall/router are you using? The reason i ask is that a typical Linksys Router will serve as a firewall and you will have to open up the ports there as well. The nice thing about Linksys is you can open up a range of ports just like you want in a single line.
0
 

Author Comment

by:Bird757
ID: 26208755
Hi Kyosh,

I am running IIS and Tomcat. My web site is on IIS and my mobile app (WAP) is on Tomcat. Both are on the same server and both are being accessed by people on the internet. As things stand I need to provide the people using the WAP site with a URL that includes the :8080 (i.e. http://www.MyDomain.mobi:8080). People who access the normal web site go to (http://www.MyDomain.com).

What I am trying to achieve is a situatuion where I don't need the people accessing the WAP site to specify the port (i.e. they can use http://www.MyDomain.mobi without needing to add :8080)

MCSA2003: As for the firewall I am using the standard Windows Firewall that ships with Server 2008. The cost of adding a hardware firewall at my ISP is too high given that the server security provided by Microsoft's firewall has not failed me in years and no-one is really interested in hacking my little server.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:Kyosh
ID: 26208787
How about having IIS listen on Interface1:80 and Tomcat listen on Interface2:80 ?
0
 
LVL 14

Expert Comment

by:MCSA2003
ID: 26208879
Just to be clear, you have your server connected straight to the internet with no router sitting in between your ISP and server?
0
 

Author Comment

by:Bird757
ID: 26209483
Kyosh:
The idea of getting Tomcat to listen on port 80 is an option we tried but because IIS is using the port linking it to Tomcat failed. If you know how we can do this it will work.

MCSA2003:
Yes. Direct to the internet with no hardware firewall in place. There is a router but that belongs to the ISP and there is nothing we can do on it. So the solution I am looking for needs to be at a software level within Windows Server 2008 Firewall. There are setting Pages when creating the rule there is a page for the Local and Remote port, and a page for the Locak and Remote IP the rule applies to. I set the Local port to 8080 and Remote port to 80, and specified the IPs. I then did the same for the 2nd IP, specifying the Local and Remote ports to both be port 80. In IIS I told IIS the Web Site resided on the specific (2nd) IP. IIS worked, but the port 8080 traffic on the other IP returned a Destination Does Not Exist message within the remote browser.

NAT and that type of stuff is not my strength so I am of the opinion it is a simple thing I am not understanding.
0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26209629
To make IIS listen on one IP, try:
netsh http add iplisten ipaddress=xxx.xxx.xxx.xxx

Restart IIS and then see if you can have Tomcat listen to Port 80 on the other IP.
0
 

Author Comment

by:Bird757
ID: 26209987
Kyosh, I have done the IIS part (and it seems to have stopped IIS handling requests on the 2nd IP). I have asked my Tomcat-person to make the changes on Tomcat but he is not available for a while.

Do you know how to change Tomcat from port 8080 to port 80 - listening? If you do I can make the change and check.

Thanks
0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26210082
In server.xml, change connector port to 80 and address to the other IP.
0
 

Author Comment

by:Bird757
ID: 26210519
I don't see any IP specified in server.xml - do you know the syntax I need to add to specify the IP?

The area I am guessing I need to change is:

  <!-- Define the Tomcat Stand-Alone Service -->
  <Service name="Catalina">

    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
    <Connector port="8080" maxHttpHeaderSize="8192"
            
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="true" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />

0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26211014
address="***.***.***.***"
Just put it in the connector somewhere, after disableUplodaTimout for instance.
0
 

Author Comment

by:Bird757
ID: 26212725
I modified Tomcat's server.xml to include the IP (which is different to the IP allocated / linked to IIS) and set Tomcat to listen to port 80 - no success. If I alter server.xml from port 80 to 8080 and restart the Tomcat site works immediately.

This is the problem we had before where it appears IIS is handling prt 80 even though it is not set to listen on that IP.

If there is any more config needed on IIS or Tomcat I need to try please let me know - if not I need to get back to the original qustion regarding setting Port Forward on Windows Firewall.
0
 
LVL 3

Accepted Solution

by:
Kyosh earned 1500 total points
ID: 26213165
I presume you've tried to restart the server as well.
Just to be clear, you are using IIS7?

I am sorry to say that there is no port forward settings in native windows 2008 firewall.

After you've started IIS, try doing a netstat -an
You should see IP1:80
If you see 0.0.0.0:80 then you didn't bind IIS to the IP.
If that is the case type "netsh http sho iplisten"
It should show you IP1
0
 

Author Comment

by:Bird757
ID: 26253237
I have gone ahead and restarted the server. It looks like Tomcat is listening on IP2:80 but my web calls are not reaching it.

Test was using TELNET xxx.x.x.x 80 from a server located in a physlcally different country. The request times out.

I then stopped Tomcat, changed only the PORT in server.xml from 80 to 8080, and restarted Tomcat. Telnet xxx.x.x.x 8080 immediately succeeded.

To check what IIS was doing with Port 80 I ran netstat -an with Tomcat Stopped, and then again with Tomcat Running. With Tomcat stopped I saw
  TCP    IP1.xxx.xxx.xxx:80       0.0.0.0:0              LISTENING

When I started Tomcat I had a 2nd entry listening on port 80
  TCP    IP1.xxx.xxx.xxx:80       0.0.0.0:0              LISTENING
  TCP    IP2.yyy.yyy.yyy:80       0.0.0.0:0              LISTENING

netsh http sho iplisten only lists IP1 (even with Tomcat running).

Do you have any idea of what I am doing wrong here? It is as if port 80 is not forwarding to Tomcat:80 on the 2nd IP.
0
 
LVL 3

Expert Comment

by:Kyosh
ID: 26267809
As far as i know you've done everything right and that should work.
I am sorry to say i don't know enough about your network setup to identify where it goes wrong.

Does it work if you try to telnet the ip from the server itself (and not from a server in another country)?

If you have another network adapter available you could try to setup that, however it shouldn't make much of a difference..
0
 

Author Comment

by:Bird757
ID: 26280804
Solved by doing the following:

1. Bind IIS to IP1 using netsh http add iplisten ipaddress=xxx.xxx.xxx.xxx

2. Bind Tomcat to IP2 and specify Tomcat to use port 80 by editing server.xml

3. Go to the Windows Firewall console, and select the pre-existing port 80 rule. Edited this rule to include the specific IP1 under Scope, Local Address. Created a 2nd Inbound Rule for Port 80, and under Scope specified IP2 as the local address.

No idea why the rules needed to be seperated, but this worked.

Thanks for your input on this
0
 

Author Closing Comment

by:Bird757
ID: 31674482
Combined with all the steps this provided a method for doing what was needed.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question