IIS - Want to test connectivity from web server instance in DMZ to internal network over HTTP

You want one Windows server in the DMZ to have connectivity via HTTP and ICMP (ping) to a server inside the firewall (on the internal network)?  Is that correct.  HTTP uses port 80.  Ping uses port 135.  You could write a PowerShell script that tests if ports are open.  You could run it on the server in the Windows server in the DMZ and the client server inside the firewall.  If you have a server on the network that is running Unix or Linux, you could install the nmap utility.  This command makes it easy to test ports.  You could also install Fiddler on a Windows server and use Putty to test ports.

Well, what I really want to know is...

How can I get traffic to source from the the website IP address (under IIS)?

So for example, the Server OS address is on perhaps one subnet, but the websites created under the IIS role on that server are on another subnet, or even on different subnets from one another. So the question becomes, how do I source test traffic from one of the websites on the server, and not the server OS IP itself? Does that make sense?

It seems to me that there's got to be an easy answer for this, but I'm not an IIS guy. But if the website sitting on the IIS server can receive destination traffic on a different IP, it seems like it should also be able to source traffic from that IP to somewhere else. That's all...

If the server you are testing from is running server 2012 R2, you can use test-netconnection in powershell.  This will essentially allow you to "ping a port".

https://technet.microsoft.com/en-us/library/dn372891(v=wps.630).aspx

What exactly are you trying to test, because normally Windows will send traffic from it's main IP, or whichever interface has the best route. It would help if you describe what you expect the server to be doing, because I suspect that you think it will do things that it won't. For example, if you connect to a web site on a certain IP, and the web server needs to connect to another server for some reason, say a Windows share to serve a file, the connection that the web server makes to the Windows share has nothing to do with which web site/IP received the original request.

That said, you can route ALL traffic to a specific host through a specific interface by adding a static route.
http://serverfault.com/questions/155947/telnet-source-ip

A simple test is to use the PING command.  You can tell ping.exe what source address to use:

C:\test>ping /?

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
            [-r count] [-s count] [[-j host-list] | [-k host-list]]
            [-w timeout] [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -t             Ping the specified host until stopped.
                   To see statistics and continue - type Control-Break;
                   To stop - type Control-C.
    -a             Resolve addresses to hostnames.
    -n count       Number of echo requests to send.
    -l size        Send buffer size.
    -f             Set Don't Fragment flag in packet (IPv4-only).
    -i TTL         Time To Live.
    -v TOS         Type Of Service (IPv4-only. This setting has been deprecated
                   and has no effect on the type of service field in the IP Header).
    -r count       Record route for count hops (IPv4-only).
    -s count       Timestamp for count hops (IPv4-only).
    -j host-list   Loose source route along host-list (IPv4-only).
    -k host-list   Strict source route along host-list (IPv4-only).
    -w timeout     Timeout in milliseconds to wait for each reply.
    -R             Use routing header to test reverse route also (IPv6-only).
    -S srcaddr     Source address to use.
    -4             Force using IPv4.
    -6             Force using IPv6.

So, if your server had the following IP config:

NIC1 = 10.1.11.11/24
NIC2 = 10.2.12.12/24, 10.3.13.13/24, 10.4.14.14/24

To ping a destination IP of 10.100.101.101, the command would be:

ping -S 10.2.12.12 10.100.101.101 -n 100

Where the "-n" option is the number of pings to send.

Reference Link:  https://technet.microsoft.com/en-us/library/cc773052(v=ws.10).aspx

Dan

I would also check out nping which is utility that comes as part of the nmap tools.

Link:  nping -  http://nmap.org/nping/
Link: nmap - http://nmap.org/

nping provider very fine grain control of how you send packets.

Dan

Kevin,

It's a valid point. I'm thinking that you're right -- that I "think it will do things that it won't."

Here's the description, hopefully clearer this time:
There are applications on websites in the DMZ (the websites being on the IIS) which need to
1) further query DBs on the inside network over HTTP, and
2) log files to servers on the inside network over HTTP (not sure how that works, but...).

I'm working on the Cisco ASA (5540) firewall. I was tasked with punching the hole for the website IP addresses themselves (there are multiple websites per IIS), but it's looking like what I really need to do is punch the hole for the underlying Windows Server OS IP address and that will take care of the rest.

On the other hand, it seems like it would be part of IIS to allow the websites themselves to source IP traffic from their respective interfaces. But it doesn't sound like that's the case...

I sure wish I could nail down an answer as to whether the IIS can source traffic from specific website IP addresses. From my perspective it would of necessity need to do so. But what I got here is at least an answer for my needs. Thanks!

Dan,

I just wanted to thank you as well. (I had started a comment, but didn't finish it).

It helped me during the process to be able to use ping with a particular source IP address. Too bad I couldn't do both that and specify a target port. But then, with nping I'm thinking that will be possible. But at least I could see that the traffic through the firewall was actually being sourced from the IP address as I expected. It was a good test for me to be able to see. Thanks!