Solved

Getting OWA to work when 443 is already in use

Posted on 2011-02-21
15
556 Views
Last Modified: 2012-06-27
Hi All!

Got an SBS 2003 machine on a network where port 443 is already in use by a LOB application.  After discussing changing the port that SBS uses for OWA, people here on EE decided that wouldn't be a good idea, as it would break some of the key features of SBS.  So, the suggestion was made to get a 2nd external IP address that we COULD forward 443 on - which I have done.

So now, I have a second IP adress, with a second router, on which I have forwarded port 443 to the Exchange server  The primary router on the original IP address NAT's to the 192.168.x.x range, so I set the second one to NAT to the 172.16.x.x range, and I have assigned a 172.16.x.x address as a second address on the exchange server NIC.

Unfortunately, this is not working.  I'm THINKING it has something to do with needing to set up a Route for the replies on the 172.16 net to get back out to the appropriate router, but A) I'm not sure that's it, and B) I Have no idea how to do it.

If I add a 172.16 address to machine on the internal LAN, it works fine from the internal machine, but I'm suspecting that has something to with the fact that those machines are also still on the 192.168 LAN and are getting responses that way.

Thoughts?  Help?  Suggestions???
0
Comment
Question by:markhaase
  • 7
  • 7
15 Comments
 
LVL 10

Expert Comment

by:ChopperCentury
ID: 34948115
Second NIC on SBS, assign IP with same internal subnet just different IP than primary NIC that uses your other 443 application.
Create a new web site instance in IIS and move your app to that, associate the primary NIC with that IIS site.
Set your second NIC ip to attach to the default website and make sure OWA is accessible internal.
NAT the second internal IP to an open external address and build ACL for 443 permissions
0
 
LVL 13

Expert Comment

by:connectex
ID: 34948207
Just know that the SBS network wizards (all the ones under Network->Connectivity) were built for one NIC usage. So by adding a second NIC or even teaming NICs you can no longer use them. The best way to be SBS friendly would be to move you LOB application to another port. SBS has many references that use 443.  
0
 

Author Comment

by:markhaase
ID: 34948211
Unfortunately, the "other" 443 ap is on a different machine.  So the router forwards all 443 requests to that machine.  The purpose of the 2nd external IP addreess is so that with a 2nd router, we CAN forward 443 requests on that IP to the Exchange server.  I THINK if I changed the Default Gateway on the SBS/EXCHANGE box to the IP of the second router, then OWA would work....but that would screw the internal Exchange users up...no?

0
 
LVL 13

Expert Comment

by:connectex
ID: 34948223
Why do you need a second router? Doesn't your original router support multiple external IPs?
0
 

Author Comment

by:markhaase
ID: 34948225
connectex: Unfortunately, the LOB service can't be moved.  I'm not so concerned about the  wizards....Once this is set, I shouldn't need to change things.

0
 
LVL 13

Expert Comment

by:connectex
ID: 34948252
Personally it sounds pretty simple. If you have decent router, two external IPs, and can setup proper forwarding. You would continue to use the first external IP for the LOB. And setup SBS to use the second external IP. Now each system has their own external IP and port conflicts are a thing of the past. I have this same configuration here as I have 4 external IPs and three systems that I needed to allow access to port 80. So each has it's own external IP.
0
 

Author Comment

by:markhaase
ID: 34948254
>>Why do you need a second router? Doesn't your original router support multiple external IPs?

No, it's a "Consumer grade" router...besides, even if it DID, I couldn't get it to send 443 requests from 1 IP to one machine, and 443 requests from the 2nd IP to a different machine - could I?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:markhaase
ID: 34948267
>>I have 4 external IPs and three systems that I needed to allow access to port 80. So each has it's own external IP.

And the router moves port 80 requests from "IP-1" to one machine, and port 80 request from "IP-2" to a diffrent machine?  And both machines are on the same subnet?
0
 

Author Comment

by:markhaase
ID: 34948309
>>And setup SBS to use the second external IP.

I'm assuming you mean setting up the default gateway to use the second external IP?  And that wouldn't interfere with machines on the 1st subnet communicatring with the SBS box?

Please forgive me if thse seem like stupid questions...I'm just a little perplexed...

0
 
LVL 13

Expert Comment

by:connectex
ID: 34948361
I'm talking for example:

204.190.101.100 -> 192.168.0.2
204.190.101.101 -> 192.168.0.3
204.190.101.102 -> 192.168.0.4

All handled by on security device and allowing you to have any needed port configuration to each internal IP. What type of internet connection do you have? Who's the provider?
0
 

Author Comment

by:markhaase
ID: 34948408
>What type of internet connection do you have? Who's the provider?

It's a Comcast Business class block of 5 Static.  The main IP we use for regular business stuff goes through a consumer grade router (Netgear) - which forwards port 443 off to the machine handling the LOB application and handles NAT-ing to the 192.168.1.x subnet, which the office uses.

The router won't support a second WAN IP, so I'm using a second consumer grade one to handle the second WAN IP by NAT-ing to the 172.16.0.x subnet and forwarding port 443 on THIS IP to the SBS box

What I THINK is happening is that the SBS box is getting the packets fom that second router, but it can't find a way to send the return packets.

In a nutshell:

173.164.161.100:443 ---->  192.168.0.6
173.164.161.101:443 ---->  172.16.0.20

You're saying that a better router would let me do:

173.164.161.100:443 ---->  192.168.0.6
173.164.161.101:443 ---->  192.168.0.20

?

0
 
LVL 13

Accepted Solution

by:
connectex earned 500 total points
ID: 34948446
Let me go into more details. Typically I use DSL or cable connection. I get a DSL/cable modem or router device, placed in bridge mode, so they only convert from the connection media type to Ethernet. Now I recommend SonicWALL security devices. They a very functional and also cost effective. They are much more comprehensive then most consumer based router models. The SonicWALL TZ 100 Wireless with Comprehensive Gateway Security Services (CGSS) is only $384.21 on this site: http://www.provantage.com/sonicwall-01-ssc-8723~7SON904W.htm. It's a great edge security device and has no per device connection limits. Here's a comparsion of the TZ product line: http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare. The CGSS includes gateway anti-virus / anti-spyware, intrusion prevention, and content filtering. These services are renewed on a yearly or multi-year basis. Also the model I mentioned also has 802.11n wireless and supports WPA2-Enterprise, my favorite, using the existing SBS + RADIUS for secure wireless authenication.  
0
 
LVL 13

Expert Comment

by:connectex
ID: 34948486
When you consider everything $400 and some time will hopefully:

Solve your current and future port problems.
Improve the network security.
Add secure wireless support, if desired.
Gateway anti-virus / anti-spyware prevent a lot of stuff from getting through to the internal network.
Intrusion prevention stops most known threats. This stops port scans, SYN, XMAS and other common attacks. It also can close down P2P file sharing protocols.
Content filtering can prevent access to inapporiate web sites (i.e. porn and such).
0
 
LVL 13

Expert Comment

by:connectex
ID: 34966115
It's been a couple day now. Any update on this issue?
0
 

Author Closing Comment

by:markhaase
ID: 34966230
I've pitched them (management) on going with the SonicWall.  It seems like the best idea/solution.  

As a backup/cheaper plan (If they don't want to spring for the $400), I'm looking into Untangle (which can run on a spare WS box they have).  I believe that'll also handle the routing I'll need.

Thanks very much for your advice!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now