Solved

multihomed 2008 Web server with internal database

Posted on 2010-09-13
5
427 Views
Last Modified: 2012-05-10
I have a development web server multihomed with two gateways:
            ISP
            |
            ISP Modem
            IP x.x.x.0
            GW x.x.x.1
            |
Router A ------------------------------------Router B
IP x.x.x.2                  IP x.x.x.3
GW x.x.x.1                  GW x.x.x.1
NAT 192.168.1.1            NAT 192.168.65.1
|      |            |            
|      SERVER2 NIC2      NIC1
|      IP 192.168.1.101      IP 192.168.65.100
|      GW 192.168.1.1      GW 192.168.65.1
|      |            |
|      --------------------------------SERVER2
|                  Website2
|
SERVER1 NIC1
IP 192.168.1.136
GW 192.168.1.1
|
SERVER1
Website1/SQL/DC

What I am trying to sort out is the correct way to configure firewall and security in order to allow access to the SQL server instance on Server1 from the website2 on Server2.

Right now, my connections to the database from server2 do not work. I have enabled ports 1443, 1444 for only NIC2 and it still does not work.

Any ideas on a better database setup are appreciated. I will be putting a new DC in the place of Server1 so it can just be the SQL server. Website1 will be moved to Server2. My idea is to place the sql server on a third subnet with restricted access to IP addresses on the two subnets so that internal applications can access the database as well as the websites.
0
Comment
Question by:DevMikeDallas
  • 3
  • 2
5 Comments
 
LVL 1

Expert Comment

by:Hex255
Comment Utility
Can you do a "route print" (in CMD window) for both servers and paste it here?

good luck
0
 

Author Comment

by:DevMikeDallas
Comment Utility
SERVER1


IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface

0x10003 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.136      1
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0    192.168.1.136    192.168.1.136      1
    192.168.1.136  255.255.255.255        127.0.0.1        127.0.0.1      1
    192.168.1.255  255.255.255.255    192.168.1.136    192.168.1.136      1
        224.0.0.0        240.0.0.0    192.168.1.136    192.168.1.136      1
  255.255.255.255  255.255.255.255    192.168.1.136    192.168.1.136      1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None





SERVER2
===========================================================================
 11 ...xx xx xx xx xx xx ...... Intel(R) PRO/100 S Server Adapter
 
 10 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 MT Network Connection
 
 1 ........................... Software Loopback Interface 1
 
 12 ...xx xx xx xx xx xx xx xx  isatap.{----}
 
 14 ...xx xx xx xx xx xx ...... Teredo Tunneling Pseudo-Interface
 
 13 ...xx xx xx xx xx xx xx xx  isatap.{----}
 ===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.65.1   192.168.65.100    276
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.101    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link     192.168.1.101    276
    192.168.1.101  255.255.255.255         On-link     192.168.1.101    276
    192.168.1.255  255.255.255.255         On-link     192.168.1.101    276
     192.168.65.0    255.255.255.0         On-link    192.168.65.100    276
   192.168.65.100  255.255.255.255         On-link    192.168.65.100    276
   192.168.65.255  255.255.255.255         On-link    192.168.65.100    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.65.100    276
        224.0.0.0        240.0.0.0         On-link     192.168.1.101    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.65.100    276
  255.255.255.255  255.255.255.255         On-link     192.168.1.101    276
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0     192.168.65.1  Default
          0.0.0.0          0.0.0.0      192.168.1.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 14     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 14     18 2001::/32                On-link
 14    266 2001:0:4137:9e76:3cf8:d4f:3f57:fe9a/128
                                    On-link
 10    276 fe80::/64                On-link
 11    276 fe80::/64                On-link
 14    266 fe80::/64                On-link
 14    266 fe80::3cf8:d4f:3f57:fe9a/128
                                    On-link
 11    276 fe80::40fe:557a:fd93:fc07/128
                                    On-link
 10    276 fe80::4435:812d:4d32:925f/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    266 ff00::/8                 On-link
 10    276 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
LVL 1

Accepted Solution

by:
Hex255 earned 0 total points
Comment Utility
The problem you have is that you entered 2 default gateways in SERVER2:
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.65.1   192.168.65.100    276
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.101    276

That is invalid.

You will need to address that before you can move on.
0
 

Author Comment

by:DevMikeDallas
Comment Utility
It looks like I had also typed the name of the database wrong on Server2. SQL access now works for both websites.

On the gateway issue, is there a way I can demonstrate this is a problem? It all seems to be working...

I have been modifiying rules in the firewall so that port 80 inbound only comes from gateway 192.168.65.1, and after adding ports 1443, 1444 to the nic2 (192.168.1.101) the SQL server is accessible. I also turned off one of the tcp parameters in the registry for server2, ICMP redirect I think, during some review to harden the TCPIP stack... windows 2008 was missing some of the items listed here, and others were already hardened:
http://msdn.microsoft.com/en-us/library/aa302363.aspx

By the way, there is another person who did a similar setup and a similar solution proposed:
http://www.experts-exchange.com/Networking/Q_20861927.html

I am going to test setting the gateway to the first router, 192.168.1.1, and see if that works. I will let you know.
0
 

Author Comment

by:DevMikeDallas
Comment Utility
Well, it all seems to be working except network browse, of course. And I found the article that explained the issue in detail, thanks to your answer that pointed me in the right direction:

http://windows.microsoft.com/en-US/windows-vista/Configuring-multiple-gateways-on-a-network
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now