markhaase
asked on
Getting OWA to work when 443 is already in use
Hi All!
Got an SBS 2003 machine on a network where port 443 is already in use by a LOB application. After discussing changing the port that SBS uses for OWA, people here on EE decided that wouldn't be a good idea, as it would break some of the key features of SBS. So, the suggestion was made to get a 2nd external IP address that we COULD forward 443 on - which I have done.
So now, I have a second IP adress, with a second router, on which I have forwarded port 443 to the Exchange server The primary router on the original IP address NAT's to the 192.168.x.x range, so I set the second one to NAT to the 172.16.x.x range, and I have assigned a 172.16.x.x address as a second address on the exchange server NIC.
Unfortunately, this is not working. I'm THINKING it has something to do with needing to set up a Route for the replies on the 172.16 net to get back out to the appropriate router, but A) I'm not sure that's it, and B) I Have no idea how to do it.
If I add a 172.16 address to machine on the internal LAN, it works fine from the internal machine, but I'm suspecting that has something to with the fact that those machines are also still on the 192.168 LAN and are getting responses that way.
Thoughts? Help? Suggestions???
Got an SBS 2003 machine on a network where port 443 is already in use by a LOB application. After discussing changing the port that SBS uses for OWA, people here on EE decided that wouldn't be a good idea, as it would break some of the key features of SBS. So, the suggestion was made to get a 2nd external IP address that we COULD forward 443 on - which I have done.
So now, I have a second IP adress, with a second router, on which I have forwarded port 443 to the Exchange server The primary router on the original IP address NAT's to the 192.168.x.x range, so I set the second one to NAT to the 172.16.x.x range, and I have assigned a 172.16.x.x address as a second address on the exchange server NIC.
Unfortunately, this is not working. I'm THINKING it has something to do with needing to set up a Route for the replies on the 172.16 net to get back out to the appropriate router, but A) I'm not sure that's it, and B) I Have no idea how to do it.
If I add a 172.16 address to machine on the internal LAN, it works fine from the internal machine, but I'm suspecting that has something to with the fact that those machines are also still on the 192.168 LAN and are getting responses that way.
Thoughts? Help? Suggestions???
Just know that the SBS network wizards (all the ones under Network->Connectivity) were built for one NIC usage. So by adding a second NIC or even teaming NICs you can no longer use them. The best way to be SBS friendly would be to move you LOB application to another port. SBS has many references that use 443.
ASKER
Unfortunately, the "other" 443 ap is on a different machine. So the router forwards all 443 requests to that machine. The purpose of the 2nd external IP addreess is so that with a 2nd router, we CAN forward 443 requests on that IP to the Exchange server. I THINK if I changed the Default Gateway on the SBS/EXCHANGE box to the IP of the second router, then OWA would work....but that would screw the internal Exchange users up...no?
Why do you need a second router? Doesn't your original router support multiple external IPs?
ASKER
connectex: Unfortunately, the LOB service can't be moved. I'm not so concerned about the wizards....Once this is set, I shouldn't need to change things.
Personally it sounds pretty simple. If you have decent router, two external IPs, and can setup proper forwarding. You would continue to use the first external IP for the LOB. And setup SBS to use the second external IP. Now each system has their own external IP and port conflicts are a thing of the past. I have this same configuration here as I have 4 external IPs and three systems that I needed to allow access to port 80. So each has it's own external IP.
ASKER
>>Why do you need a second router? Doesn't your original router support multiple external IPs?
No, it's a "Consumer grade" router...besides, even if it DID, I couldn't get it to send 443 requests from 1 IP to one machine, and 443 requests from the 2nd IP to a different machine - could I?
No, it's a "Consumer grade" router...besides, even if it DID, I couldn't get it to send 443 requests from 1 IP to one machine, and 443 requests from the 2nd IP to a different machine - could I?
ASKER
>>I have 4 external IPs and three systems that I needed to allow access to port 80. So each has it's own external IP.
And the router moves port 80 requests from "IP-1" to one machine, and port 80 request from "IP-2" to a diffrent machine? And both machines are on the same subnet?
And the router moves port 80 requests from "IP-1" to one machine, and port 80 request from "IP-2" to a diffrent machine? And both machines are on the same subnet?
ASKER
>>And setup SBS to use the second external IP.
I'm assuming you mean setting up the default gateway to use the second external IP? And that wouldn't interfere with machines on the 1st subnet communicatring with the SBS box?
Please forgive me if thse seem like stupid questions...I'm just a little perplexed...
I'm assuming you mean setting up the default gateway to use the second external IP? And that wouldn't interfere with machines on the 1st subnet communicatring with the SBS box?
Please forgive me if thse seem like stupid questions...I'm just a little perplexed...
I'm talking for example:
204.190.101.100 -> 192.168.0.2
204.190.101.101 -> 192.168.0.3
204.190.101.102 -> 192.168.0.4
All handled by on security device and allowing you to have any needed port configuration to each internal IP. What type of internet connection do you have? Who's the provider?
204.190.101.100 -> 192.168.0.2
204.190.101.101 -> 192.168.0.3
204.190.101.102 -> 192.168.0.4
All handled by on security device and allowing you to have any needed port configuration to each internal IP. What type of internet connection do you have? Who's the provider?
ASKER
>What type of internet connection do you have? Who's the provider?
It's a Comcast Business class block of 5 Static. The main IP we use for regular business stuff goes through a consumer grade router (Netgear) - which forwards port 443 off to the machine handling the LOB application and handles NAT-ing to the 192.168.1.x subnet, which the office uses.
The router won't support a second WAN IP, so I'm using a second consumer grade one to handle the second WAN IP by NAT-ing to the 172.16.0.x subnet and forwarding port 443 on THIS IP to the SBS box
What I THINK is happening is that the SBS box is getting the packets fom that second router, but it can't find a way to send the return packets.
In a nutshell:
173.164.161.100:443 ----> 192.168.0.6
173.164.161.101:443 ----> 172.16.0.20
You're saying that a better router would let me do:
173.164.161.100:443 ----> 192.168.0.6
173.164.161.101:443 ----> 192.168.0.20
?
It's a Comcast Business class block of 5 Static. The main IP we use for regular business stuff goes through a consumer grade router (Netgear) - which forwards port 443 off to the machine handling the LOB application and handles NAT-ing to the 192.168.1.x subnet, which the office uses.
The router won't support a second WAN IP, so I'm using a second consumer grade one to handle the second WAN IP by NAT-ing to the 172.16.0.x subnet and forwarding port 443 on THIS IP to the SBS box
What I THINK is happening is that the SBS box is getting the packets fom that second router, but it can't find a way to send the return packets.
In a nutshell:
173.164.161.100:443 ----> 192.168.0.6
173.164.161.101:443 ----> 172.16.0.20
You're saying that a better router would let me do:
173.164.161.100:443 ----> 192.168.0.6
173.164.161.101:443 ----> 192.168.0.20
?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
When you consider everything $400 and some time will hopefully:
Solve your current and future port problems.
Improve the network security.
Add secure wireless support, if desired.
Gateway anti-virus / anti-spyware prevent a lot of stuff from getting through to the internal network.
Intrusion prevention stops most known threats. This stops port scans, SYN, XMAS and other common attacks. It also can close down P2P file sharing protocols.
Content filtering can prevent access to inapporiate web sites (i.e. porn and such).
It's been a couple day now. Any update on this issue?
ASKER
I've pitched them (management) on going with the SonicWall. It seems like the best idea/solution.
As a backup/cheaper plan (If they don't want to spring for the $400), I'm looking into Untangle (which can run on a spare WS box they have). I believe that'll also handle the routing I'll need.
Thanks very much for your advice!
As a backup/cheaper plan (If they don't want to spring for the $400), I'm looking into Untangle (which can run on a spare WS box they have). I believe that'll also handle the routing I'll need.
Thanks very much for your advice!
Create a new web site instance in IIS and move your app to that, associate the primary NIC with that IIS site.
Set your second NIC ip to attach to the default website and make sure OWA is accessible internal.
NAT the second internal IP to an open external address and build ACL for 443 permissions