Website won't display internally

I've exhausted myself reading posts about DNS issues and still cannot resolve my own.  I know our landscape is messed up, so bare with me.

My company's internal AD domain (company.com) is the same name as our external public domain (company.com).  We have our website (www.company.com) hosted with Hubspot (third part company), so it's external.  Our public DNS (and email) for company.com is also hosted externally.  My internal company.com domain has a DC/DNS server combined which I control.

Problem:  I have a Sharepoint (web) server hosted internally at our office.  I have an A-record with static external IP setup on the public DNS and my firewall NAT'd from external IP to internal IP.  But when I try to access https://sharepoint.company.com internally I get 'page not displayed'.  If I access from external network it's fine.

I can add a local host file entry on my laptop and give sharepoint.company.com an internal IP, which allows the page to display internally.  I've read that I might need a new forward lookup zone for sharepoint.company.com and create an A-record for the internal IP.  I did that but it won't display the webpage.

Where am I going wrong?  How do I get https://sharepoint.company.com to display from either internal or external network, without having to edit host file on individual laptops?
network-adminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

xtermCommented:
How can you be sure it's a DNS issue?

If you do "nslookup sharepoint.company.com" externally, does it resolve to a different IP address than if you do the same nslookup from an internal machine?

If you get the same IP returned for both, then this has nothing to do with DNS.  If you get a different result, then let's look at what IPs are being given to your internal machines for DNS.  Do you control those servers?  If so, are they claiming authority for the company.com zone, but perhaps don't have the sharepoint A record configured?
0
P1iskenCommented:
Are you using RRAS for you NAT architecture in your office... Please advise, how you are NATing..

Thanks,

P1isken
0
network-adminAuthor Commented:
@xterm
nslookup externally returns the IP I'd expect (the external IP)
nslookup internally returns the internal IP for that server

If I "ipconfig /all" on my laptop I see two internal DNS servers (normal) as well as two external DNS servers.  I've removed the external entries in the past so only internal DNS is served, but our web browsing slows to a crawl (perhaps because my internal DNS server is old and underpowered?).

I do control the internal DNS and I do have an A-record for sharepoint in the forward zone for company.com.  I also created the zone sharepoint.company.com and have a A-record there with the internal IP of the web server.

@ P1isken:  All my NATing is done on our firewall, basically open a port from external IP to internal IP.  We have a watchguard firebox at the moment.  Not sure if that answers your questions.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

xtermCommented:
Okay, so this isn't a DNS problem, its a web server issue.

I will take it that you can ping the internal IP of the web server successfully, but you simply cannot pull up the site.   Thus, there are two possibilities:

1) The web server isn't configured to listen on the internal IP
2) The web server is listening on the internal IP, but hasn't been told to answer for sharepoint.company.com on the internal IP.

Is this an Apache web server with a VirtualHost?

If you do (from an internal machine) the following, what do you get?

$>  telnet <internal ip of web server> 443

Do you get a response on port 443?

On the server itself, what is shown when you do the following:

$>  netstat -na | grep :443
0
xtermCommented:
I'm not familiar with Sharepoint, but having googled a bit, it appears you're trying to basically run it on two IP addresses on the same machine, which may simply not be possible (see http://objectmix.com/sharepoint/294235-hosting-multiple-sharepoint-sites-same-machine-same-port.html for somebody else attempting the same thing)

Why don't you simply set your internal DNS server to resolve the name to the external IP of the sharepoint server?  What difference does it make if your clients go out through your NAT server and hit it from the outside like everybody else?
0
network-adminAuthor Commented:
Q: I will take it that you can ping the internal IP of the web server successfully, but you simply cannot pull up the site...
A: yes can ping the internal IP successfully.

Q:  Is this an Apache web server with a VirtualHost?
A:  No, IIS 7

Q:  Telnet internal IP, do you get a response on port 443?
A:  NO

Q: On the server itself, what is shown when you do the following: $>  netstat -na |grep :443
A: the GREP is not recognized as internal or external command, I must have the syntax wrong.  I can do netstat -na and get a list of active connections.  Can I pick out what you need from there?

Q:Why don't you simply set your internal DNS server to resolve the name to the external IP of the sharepoint server?  What difference does it make if your clients go out through your NAT server and hit it from the outside like everybody else?
A: It makes no difference to me... how do I set this up?  Where am I making the change on my DNS server to give the external IP?  Do I even need the forward lookup zone for sharepoint.company.com?
0
xtermCommented:
>Q:  Telnet internal IP, do you get a response on port 443?
>A:  NO

That means IIS is not listening on the internal IP on https

> Q: On the server itself, what is shown when you do the following: $>  netstat -na |grep :443
> A: the GREP is not recognized as internal or external command, I must have the syntax wrong.  I can do netstat -na and get a list of active connections.  Can I pick out what you need from there?

I mistakenly thought you were running a Unix server which has the grep command.  But your answer above already tells me all I need to know, that you will not see <internal IP>:443 in the output of netstat.

>Q:Why don't you simply set your internal DNS server to resolve the name to the external IP of the sharepoint server?  What difference does it make if your clients go out through your NAT server and hit it from the outside like everybody else?
> A: It makes no difference to me... how do I set this up?  Where am I making the change on my DNS server to give the external IP?  Do I even need the forward lookup zone for sharepoint.company.com?

You don't need a seperate ZONE for sharepoint.company.com - just a single A record.  So in the zone for company.com where you have all your other records (www, ftp, mail, etc.) just find the one that says:

sharepoint IN A <internal IP>

and change it to

sharepoint IN A <external IP>

Update the serial number in the zone file, reload it, and you should be good to go.
0
network-adminAuthor Commented:
I changed the A-record on company.com for sharepoint, giving the external IP.  It gave an warning about an associated pointer record not being created because the reverse lookup zone wasn't there.

I tried the site again but got the same page not displayed error.

Maybe I got the telnet part wrong... my binding for port 443 has a * for the IP.  If I have a user connected to the website and I run netstat I can see <internal IP>:443 as established.  

The telnet doesn't give an error, it just opens a blank cmd window with the IP at the top.  When I try telnet to another server I get a 'connection failed' response in my cmd window.
0
xtermCommented:
Let's focus on one thing at a time.  After you changed the A record for sharepoint.company.com to the external IP, did you:

1)  Verify that the internal machine gets the correct (external IP) response via nslookup?
2)  Dump the web browser cache, and close/reopen it to ensure that it's still not going to the internal IP?

0
network-adminAuthor Commented:
Right now if I ping internal and external I get the external IP.  If I nslookup internal and external I get the external IP.

I did dump the browser cache and even tried from other internal resources, no joy.
0
xtermCommented:
Are you able to ping the server's external IP address from internal machines?

What happens if you just put in your browser https://<external IP address>/ instead of the name?
0
network-adminAuthor Commented:
EXTERNAL TEST:  https://<external IP>
<external IP> uses an invalid security certificate.
The certificate is only valid for the following names:
sharepoint.company.com , www.sharepoint.company.com 
(Error code: ssl_error_bad_cert_domain)

INTERNAL TEST:  https://<internal IP>
The security certificate presented by this website was issued for a different website's address.

INTERNAL TEST:  https://<external IP>
Cannot display page
0
network-adminAuthor Commented:
Forgot to say, I can ping external IP from internal address and get replies.
0
network-adminAuthor Commented:
Bump!  Anyone out there to help?

How can I view my webpage from my internal network which hosts the server, as well as view it from external networks... all using the same https URL?
0
xtermCommented:
At this point its unclear to me why you can't pull up the external IP site - "Cannot display page" is pretty generic.  Can you try a different browser and see if it gives you anything more verbose than that?  If you traceroute to the external IP, are you REALLY getting there?  Or is your client machine actually getting something other than an actual ping response from the external IP?

As to the internal IP, it does actually seem like your web server is listening on port 443, so there may be some hope here.  The web server will need to be set up to listen on the internal IP as well, but if its a separate virtual host (like sharepoint.internal.mycompany.com for instance) then the certificate will not match the name of the site.  It seems like this is already the case on the external site (aka, it wants www.sharepoint instead of just sharepoint) so that's not a big deal - you can just acknowledge and save the exceptions in your browser.  Can you get past the certificate warning currently when you go to https://<internal IP>?
0
network-adminAuthor Commented:
At this point its unclear to me why you can't pull up the external IP site - "Cannot display page" is pretty generic.  Can you try a different browser and see if it gives you anything more verbose than that?

Firefox is unable to connect
Firefox can't establish a connection to the server at sharepoint.company.com.
• The site could be temporarily unavailable or too busy. Try again in a few moments.
• If you are unable to load any pages, check your computer's network connection.
• If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Internet Explorer cannot display the webpage
This problem can be caused by a variety of issues, including:
• Internet connectivity has been lost.
• The website is temporarily unavailable.
• The Domain Name Server (DNS) is not reachable.
• The Domain Name Server (DNS) does not have a listing for the website's domain.
• There might be a typing error in the address.
• If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.
 

If you traceroute to the external IP, are you REALLY getting there?  Or is your client machine actually getting something other than an actual ping response from the external IP?
If I traceroute from internal comes back in one hop with the external IP and ISP's domain info (static IP).
If I traceroute from external network it comes back in 16 hops with the same info.

Can you get past the certificate warning currently when you go to https://<internal IP>?
Yes, I just click the 'continue to site' or 'add exception' and it goes through.  It's just expecting the certificate to be sharepoint.company.com or www.sharepoint.company.com.
0
xtermCommented:
> Can you get past the certificate warning currently when you go to https://<internal IP>?
> Yes, I just click the 'continue to site' or 'add exception' and it goes through.  It's just expecting the certificate to be sharepoint.company.com or www.sharepoint.company.com.

So can we just change the internal DNS resolution of sharepoint.company.com back to the internal IP, and call the problem solved?
0
network-adminAuthor Commented:
This is what I do currently... if outside our office use https://sharepoint.company.com, if inside our office use https://<internal IP>.

As smart as humans are this still seems to confuse people, causes issues with sending links, etc.  This is why I was hoping to get https://sharepoint.company.com working from wherever the user is.  
0
xtermCommented:
Right, what I'm saying to you is let's set the internal DNS server to resolve sharepoint.company.com to the internal IP (like it evidently was originally, although I have doubts)

Initially when you told me that the internal IP wasn't listening on 443, I had you change the A record to resolve to the external IP.  But since we know now that the site's internal IP does indeed listen, let's change DNS back, and then https://sharepoint.company.com should work on both sides, right?
0
network-adminAuthor Commented:
You would think so!  That's why I listed this as a DNS error originally.  I do have the A-record back to the internal IP but still no luck resolving.
0
xtermCommented:
"but still no luck resolving."

Let's be very specific with the terminology here.  "Resolving" means that a client can translate a name to an IP.  Are you telling me the internal machines when doing a lookup on sharepoint.company.com cannot resolve it to <internal IP> by way of nslookup?
0
network-adminAuthor Commented:
I'm sorry for the confusion... when internal and nslookup on sharepoint.company.com it does come back with the internal IP  (since we changed the A-record).
0
xtermCommented:
I'm more confused now, because in the early part of this thread, I had you change sharepoint.company.com in the INTERNAL DNS server to resolve to the EXTERNAL IP.  Then today I asked you to change the A record in the INTERNAL server back to the INTERNAL IP.

Please let me know what state it is in now, and what has changed today.
0
network-adminAuthor Commented:
Above I meant I had changed it back to internal IP when you said to today (it had been external), that is the only change I made today.
0
xtermCommented:
Okay, so earlier you said "it still doesn't resolve", but now you are telling me that it does indeed resolve to the internal IP.

So if it DOES resolve, what actually is failing when you open up an internal web brower to https://sharepoint.company.com/?  And before you did it, did you clear the browser cache and/or restart it?
0
network-adminAuthor Commented:
I cleared all cache... and am also testing from another machine to make sure (which has been rebooted).

If type https://<internal IP> into a browser I get the certificate error but can proceed to the site.

If I nslookup sharepoint.company.com from internal, I get the internal IP returned.

If I nslookup from external I get the external IP returned.

If I enter https://sharepoint.company.com/ internally I get page not displayed errors like it doesn't know where the server is.  That is what's failing.
0
xtermCommented:
Okay, if you are truly accurate about what you state above, then something is messing around with your web traffic.  Are you using a proxy server?  Do you have any kind of network device that inspects web traffic?
0
xtermCommented:
I should also mention that it is a very bad idea to have both an internal and a public internet facing IP on the same server.   If somebody were to infiltrate your Sharepoint server, they could then see you entire internal network and all the user workstations!
0
network-adminAuthor Commented:
No proxy server.  No device to see web traffic.  I have a Watchguard Firebox which is where I have a policy for HTTPS, it's a NAT translation from external IP to internal IP.  So the public IP isn't on the server exactly.
0
xtermCommented:
Well, that explains why the internal machines can't get to the external IP - they will not be able to source from inside and then come back in via a translation.

So your only option is the internal IP.   If what you are saying though which is (and I'm using 1.1.1.1 as code for your internal IP):

1.  Internal machines resolve sharepoint.company.com to 1.1.1.1
2.  Internal machines can access http://1.1.1.1/ fine
3.  Internal machines get "Page cannot be displayed" when they go to http://sharepoint.company.com/

Then only a few possibilities exist:

1.  Browser is going to some other IP than 1.1.1.1, and some caching remains
2.  Web server is not set to answer for sharepoint.company.com on internal IP but isn't returning a good error

I think you need to research with your vendor whether the Sharepoint server is actually capable of listening on two different IPs on the same machine with the same certificate.  That is one of the very earliest things I pointed out to you in this thread.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
network-adminAuthor Commented:
Xterm, I really appreciate all the help you gave and how you stuck with this issue.  I'm going to accept your last post as the solution and research listening on two IP's.  

I guess my first post should have made the NAT'ing more clear... I put it in bold below just to show you it was there.  Thanks again for all the help!

Problem:  I have a Sharepoint (web) server hosted internally at our office.  I have an A-record with static external IP setup on the public DNS and my firewall NAT'd from external IP to internal IP.  But when I try to access https://sharepoint.company.com internally I get 'page not displayed'.  If I access from external network it's fine.

0
xtermCommented:
You did indeed, and I guess I didn't pay that close attention at the time.  At any rate, good luck with getting this working on the 2nd IP.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.