Solved

Multiple Websites, one External IP

Posted on 2013-06-26
10
307 Views
Last Modified: 2013-07-15
I wanted to know how this normally works, I'm very new to websites and hosting, and I have to get one going for our site. We already have a webmail server going for our users.

For example we have a site linking to our SBS 2011 at ex. webmail.com

We are also installing an application server. ex. application.com

Let's say they only have one external address of 1.1.1.1


For example we have a Godaddy account that host both of the external DNS names, and both points to 1.1.1.1..

Can we still use just one external IP addresses? I called the ISP and apparently we have 4 external IP addresses allocated for us. Is there a point for that? I see a couple of them are dedicated for VPN's.
0
Comment
Question by:Pancake_Effect
  • 3
  • 2
  • 2
  • +3
10 Comments
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 71 total points
Comment Utility
It is typical to have many sites on one IP.  I don't know about SBS, but with windows server 2012, you can now have multiple SSL domains on one IP.
0
 
LVL 6

Assisted Solution

by:Manuel Marienne-Duchêne
Manuel Marienne-Duchêne earned 71 total points
Comment Utility
Yes it's possible you configure IIS with multiple identity and web server
0
 
LVL 4

Author Comment

by:Pancake_Effect
Comment Utility
How would you specify something like that? Because right now when I visit the address it directs automatically to the mail server.

For example on my local network the SBS is on: 192.168.100.1
And the application server is on: 192.168.100.2

Locally I already have A records on our internal DNS that link:
192.168.100.1 to mail.server.com
192.168.100.2 to application.com


How would I make application.com when visiting externally link to our internal 192.168.100.2?
0
 
LVL 12

Assisted Solution

by:TomRScott
TomRScott earned 144 total points
Comment Utility
Does the application addressed with application.com use a different port than your mail.server.com?  If so, then the firewall can use port forwarding for the server/target ports.  For each public IP address (assuming in your case, for the one public IP address), public client traffic attempting to access your server via a specified port is redirected to the appropriate private server.

It might be useful to see a diagram to be more specific.

Regarding IIS (the web server service from Microsoft and on SBS), it can host multiple web sites using just one IP address.

 - Tom
0
 
LVL 4

Author Comment

by:Pancake_Effect
Comment Utility
Well the SBS is using port 443, and so does the application server we want. I already tried port forwarding it, and it didn't allow me to use that port twice to be redirected.

We only have one IP that shows up when I do a showmemyip on the net, but I believe we have 3 other allocated to us because of our size. I believe only one other one is in use, I believe they are just using it for remote connections for another server.

I'm guessing we I have to use a separate IP if the both my mail and application server uses port 443?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 12

Accepted Solution

by:
TomRScott earned 144 total points
Comment Utility
I was wondering if that might be the case.

If you have a spare public address it would be simpler to use it as follows:
1 - Add second address to the same public interface of your firewall
2 - Create the address objects, rules, etc on the firewall for BOTH web sites
3 - Add/change public DNS to add the yyy.application.com FQDN
Note: I would advocate leaving the mail configuration alone and move the application.com application to the new public address.

You may be able to use a single public IP if you also consolidate both services on the same server with the same private IP but may run into problems with your mail server if using OWA/Exchange.  I have NOT had OWA cohabitate with a "regular" web site on a given web host. Further, the certificate requirements of OWA have been changing from version to version of Exchange and I have not worked with anything since Exchange 2007 using OWA.

One advantage of using two private and two corresponding public addresses is flexibility. By doing so, it would only require "tweaks" to firewall configuration to move one application or the other to a different private server even to a different site.

 - Tom
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 143 total points
Comment Utility
you need one of the server to accept all traffic

this server then makes use of the host: header to identify the traffic that should go to the other server and proxy it accordingly (probably without SSL since that would be useless overhead on your LAN)

you'll need a single SSL cert on the server that faces the internet with ALL the names for all the virtual sites because the SSL negotiation occurs prior to the headers reception.

i'd recommend you do not proxy OWA traffic but rather use the SBS to proxy somewhere else

if you do have multiple external adresses, you really had better not bother with any of this stuff
0
 
LVL 6

Assisted Solution

by:pgstephan
pgstephan earned 71 total points
Comment Utility
A load balancer with SSL offload, single SSL certificate (try F5).
Your F5 load balancers can at the same time proxy the OWA, then you have single host to manage all your front end. Then based on the subsequent headers the F5 will be able to forward the traffic to the relevant application (excluding the OWA).

Bear in mind that F5 recently received a certification for the BIG-IP as a real firewall now. So you may just want to get ride of your front end and use F5 as your front end for both, front facing firewall, SSL offload and OWA reverse proxy.
I know people would still want to see a firewall in front of their Internet connection but things have really changed with F5 and I'm seeing them front end for some banking websites. So you can really rely on them.
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 143 total points
Comment Utility
if you can afford to add a separate machine, any software vhost and proxy capable such as many web servers (apache, nginx, lighttpd ...) and many software load balancers ( stunnel + haproxy for example ) will do the job.

a pentium 3 with such software will deal with 100 Mo/s throughput easily (and actually more in most cases but you'll hardly find a P3 with a Gb network card), and any dedicated old machine with a Gb network card will do the same job as commercial products (IE saturate the 1Gb network with neglectible added latency)
0
 
LVL 4

Author Closing Comment

by:Pancake_Effect
Comment Utility
Thanks!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now