• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 567
  • Last Modified:

Getting OWA to work when 443 is already in use

Hi All!

Got an SBS 2003 machine on a network where port 443 is already in use by a LOB application.  After discussing changing the port that SBS uses for OWA, people here on EE decided that wouldn't be a good idea, as it would break some of the key features of SBS.  So, the suggestion was made to get a 2nd external IP address that we COULD forward 443 on - which I have done.

So now, I have a second IP adress, with a second router, on which I have forwarded port 443 to the Exchange server  The primary router on the original IP address NAT's to the 192.168.x.x range, so I set the second one to NAT to the 172.16.x.x range, and I have assigned a 172.16.x.x address as a second address on the exchange server NIC.

Unfortunately, this is not working.  I'm THINKING it has something to do with needing to set up a Route for the replies on the 172.16 net to get back out to the appropriate router, but A) I'm not sure that's it, and B) I Have no idea how to do it.

If I add a 172.16 address to machine on the internal LAN, it works fine from the internal machine, but I'm suspecting that has something to with the fact that those machines are also still on the 192.168 LAN and are getting responses that way.

Thoughts?  Help?  Suggestions???
0
markhaase
Asked:
markhaase
  • 7
  • 7
1 Solution
 
ChopperCenturyCommented:
Second NIC on SBS, assign IP with same internal subnet just different IP than primary NIC that uses your other 443 application.
Create a new web site instance in IIS and move your app to that, associate the primary NIC with that IIS site.
Set your second NIC ip to attach to the default website and make sure OWA is accessible internal.
NAT the second internal IP to an open external address and build ACL for 443 permissions
0
 
connectexCommented:
Just know that the SBS network wizards (all the ones under Network->Connectivity) were built for one NIC usage. So by adding a second NIC or even teaming NICs you can no longer use them. The best way to be SBS friendly would be to move you LOB application to another port. SBS has many references that use 443.  
0
 
markhaaseAuthor Commented:
Unfortunately, the "other" 443 ap is on a different machine.  So the router forwards all 443 requests to that machine.  The purpose of the 2nd external IP addreess is so that with a 2nd router, we CAN forward 443 requests on that IP to the Exchange server.  I THINK if I changed the Default Gateway on the SBS/EXCHANGE box to the IP of the second router, then OWA would work....but that would screw the internal Exchange users up...no?

0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
connectexCommented:
Why do you need a second router? Doesn't your original router support multiple external IPs?
0
 
markhaaseAuthor Commented:
connectex: Unfortunately, the LOB service can't be moved.  I'm not so concerned about the  wizards....Once this is set, I shouldn't need to change things.

0
 
connectexCommented:
Personally it sounds pretty simple. If you have decent router, two external IPs, and can setup proper forwarding. You would continue to use the first external IP for the LOB. And setup SBS to use the second external IP. Now each system has their own external IP and port conflicts are a thing of the past. I have this same configuration here as I have 4 external IPs and three systems that I needed to allow access to port 80. So each has it's own external IP.
0
 
markhaaseAuthor Commented:
>>Why do you need a second router? Doesn't your original router support multiple external IPs?

No, it's a "Consumer grade" router...besides, even if it DID, I couldn't get it to send 443 requests from 1 IP to one machine, and 443 requests from the 2nd IP to a different machine - could I?
0
 
markhaaseAuthor Commented:
>>I have 4 external IPs and three systems that I needed to allow access to port 80. So each has it's own external IP.

And the router moves port 80 requests from "IP-1" to one machine, and port 80 request from "IP-2" to a diffrent machine?  And both machines are on the same subnet?
0
 
markhaaseAuthor Commented:
>>And setup SBS to use the second external IP.

I'm assuming you mean setting up the default gateway to use the second external IP?  And that wouldn't interfere with machines on the 1st subnet communicatring with the SBS box?

Please forgive me if thse seem like stupid questions...I'm just a little perplexed...

0
 
connectexCommented:
I'm talking for example:

204.190.101.100 -> 192.168.0.2
204.190.101.101 -> 192.168.0.3
204.190.101.102 -> 192.168.0.4

All handled by on security device and allowing you to have any needed port configuration to each internal IP. What type of internet connection do you have? Who's the provider?
0
 
markhaaseAuthor Commented:
>What type of internet connection do you have? Who's the provider?

It's a Comcast Business class block of 5 Static.  The main IP we use for regular business stuff goes through a consumer grade router (Netgear) - which forwards port 443 off to the machine handling the LOB application and handles NAT-ing to the 192.168.1.x subnet, which the office uses.

The router won't support a second WAN IP, so I'm using a second consumer grade one to handle the second WAN IP by NAT-ing to the 172.16.0.x subnet and forwarding port 443 on THIS IP to the SBS box

What I THINK is happening is that the SBS box is getting the packets fom that second router, but it can't find a way to send the return packets.

In a nutshell:

173.164.161.100:443 ---->  192.168.0.6
173.164.161.101:443 ---->  172.16.0.20

You're saying that a better router would let me do:

173.164.161.100:443 ---->  192.168.0.6
173.164.161.101:443 ---->  192.168.0.20

?

0
 
connectexCommented:
Let me go into more details. Typically I use DSL or cable connection. I get a DSL/cable modem or router device, placed in bridge mode, so they only convert from the connection media type to Ethernet. Now I recommend SonicWALL security devices. They a very functional and also cost effective. They are much more comprehensive then most consumer based router models. The SonicWALL TZ 100 Wireless with Comprehensive Gateway Security Services (CGSS) is only $384.21 on this site: http://www.provantage.com/sonicwall-01-ssc-8723~7SON904W.htm. It's a great edge security device and has no per device connection limits. Here's a comparsion of the TZ product line: http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare. The CGSS includes gateway anti-virus / anti-spyware, intrusion prevention, and content filtering. These services are renewed on a yearly or multi-year basis. Also the model I mentioned also has 802.11n wireless and supports WPA2-Enterprise, my favorite, using the existing SBS + RADIUS for secure wireless authenication.  
0
 
connectexCommented:
When you consider everything $400 and some time will hopefully:

Solve your current and future port problems.
Improve the network security.
Add secure wireless support, if desired.
Gateway anti-virus / anti-spyware prevent a lot of stuff from getting through to the internal network.
Intrusion prevention stops most known threats. This stops port scans, SYN, XMAS and other common attacks. It also can close down P2P file sharing protocols.
Content filtering can prevent access to inapporiate web sites (i.e. porn and such).
0
 
connectexCommented:
It's been a couple day now. Any update on this issue?
0
 
markhaaseAuthor Commented:
I've pitched them (management) on going with the SonicWall.  It seems like the best idea/solution.  

As a backup/cheaper plan (If they don't want to spring for the $400), I'm looking into Untangle (which can run on a spare WS box they have).  I believe that'll also handle the routing I'll need.

Thanks very much for your advice!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now