multihomed 2008 Web server with internal database

I have a development web server multihomed with two gateways:
            ISP
            |
            ISP Modem
            IP x.x.x.0
            GW x.x.x.1
            |
Router A ------------------------------------Router B
IP x.x.x.2                  IP x.x.x.3
GW x.x.x.1                  GW x.x.x.1
NAT 192.168.1.1            NAT 192.168.65.1
|      |            |
|      SERVER2 NIC2      NIC1
|      IP 192.168.1.101      IP 192.168.65.100
|      GW 192.168.1.1      GW 192.168.65.1
|      |            |
|      --------------------------------SERVER2
|                  Website2
|
SERVER1 NIC1
IP 192.168.1.136
GW 192.168.1.1
|
SERVER1
Website1/SQL/DC

What I am trying to sort out is the correct way to configure firewall and security in order to allow access to the SQL server instance on Server1 from the website2 on Server2.

Right now, my connections to the database from server2 do not work. I have enabled ports 1443, 1444 for only NIC2 and it still does not work.

Any ideas on a better database setup are appreciated. I will be putting a new DC in the place of Server1 so it can just be the SQL server. Website1 will be moved to Server2. My idea is to place the sql server on a third subnet with restricted access to IP addresses on the two subnets so that internal applications can access the database as well as the websites.

Microsoft SQL ServerWeb ServersNetwork Architecture

Last Comment

DevMikeDallas

8/22/2022 - Mon

Hex255

9/13/2010

Can you do a "route print" (in CMD window) for both servers and paste it here?

good luck

DevMikeDallas

9/13/2010

ASKER

SERVER1

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface

0x10003 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 MT Network Connection
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.136 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.136 192.168.1.136 1
192.168.1.136 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.136 192.168.1.136 1
224.0.0.0 240.0.0.0 192.168.1.136 192.168.1.136 1
255.255.255.255 255.255.255.255 192.168.1.136 192.168.1.136 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

SERVER2
===========================================================================
11 ...xx xx xx xx xx xx ...... Intel(R) PRO/100 S Server Adapter

10 ...xx xx xx xx xx xx ...... Intel(R) PRO/1000 MT Network Connection

1 ........................... Software Loopback Interface 1

12 ...xx xx xx xx xx xx xx xx isatap.{----}

14 ...xx xx xx xx xx xx ...... Teredo Tunneling Pseudo-Interface

13 ...xx xx xx xx xx xx xx xx isatap.{----}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.65.1 192.168.65.100 276
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.101 276
192.168.1.101 255.255.255.255 On-link 192.168.1.101 276
192.168.1.255 255.255.255.255 On-link 192.168.1.101 276
192.168.65.0 255.255.255.0 On-link 192.168.65.100 276
192.168.65.100 255.255.255.255 On-link 192.168.65.100 276
192.168.65.255 255.255.255.255 On-link 192.168.65.100 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.65.100 276
224.0.0.0 240.0.0.0 On-link 192.168.1.101 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.65.100 276
255.255.255.255 255.255.255.255 On-link 192.168.1.101 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.65.1 Default
0.0.0.0 0.0.0.0 192.168.1.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 18 ::/0 On-link
1 306 ::1/128 On-link
14 18 2001::/32 On-link
14 266 2001:0:4137:9e76:3cf8:d4f:3f57:fe9a/128
On-link
10 276 fe80::/64 On-link
11 276 fe80::/64 On-link
14 266 fe80::/64 On-link
14 266 fe80::3cf8:d4f:3f57:fe9a/128
On-link
11 276 fe80::40fe:557a:fd93:fc07/128
On-link
10 276 fe80::4435:812d:4d32:925f/128
On-link
1 306 ff00::/8 On-link
14 266 ff00::/8 On-link
10 276 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

ASKER CERTIFIED SOLUTION

Hex255

9/13/2010

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

DevMikeDallas

9/14/2010

ASKER

It looks like I had also typed the name of the database wrong on Server2. SQL access now works for both websites.

On the gateway issue, is there a way I can demonstrate this is a problem? It all seems to be working...

I have been modifiying rules in the firewall so that port 80 inbound only comes from gateway 192.168.65.1, and after adding ports 1443, 1444 to the nic2 (192.168.1.101) the SQL server is accessible. I also turned off one of the tcp parameters in the registry for server2, ICMP redirect I think, during some review to harden the TCPIP stack... windows 2008 was missing some of the items listed here, and others were already hardened:
http://msdn.microsoft.com/en-us/library/aa302363.aspx

By the way, there is another person who did a similar setup and a similar solution proposed:
https://www.experts-exchange.com/questions/20861927/Dual-NIC-Setup.html

I am going to test setting the gateway to the first router, 192.168.1.1, and see if that works. I will let you know.

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

rwheeler23

DevMikeDallas

9/14/2010

ASKER

Well, it all seems to be working except network browse, of course. And I found the article that explained the issue in detail, thanks to your answer that pointed me in the right direction:

http://windows.microsoft.com/en-US/windows-vista/Configuring-multiple-gateways-on-a-network