Re: SBS with 2 nic installed for usage for 2 SSL sites

I do know that I have an SBS 2003 prem SP1 with ISA 2004 setup with two IP addresses on the WAN NIC.

I fired up the VMWare image of that configuration which I used when I set it up originally. In this case, the main WAN ip is 192.168.30.8 and all the regular SBS websites use this IP. The second IP is 192.168.30.18. The LAN subnet is 192.168.26.0/24 and the SBS IP address is 192.168.26.2

The 2nd web server listening on 443 is on a seperate server located on the LAN at 192.168.26.20.

In ISA server, I created a web publishing rule for the second Web server using SSL to SSL bridging, where the Web server certificate is installed on both IIS and ISA, allowing ISA to inspect the traffic before passing is on to IIS using end to end encryption. The ISA web publishing rule also created a new web listener which listens on "external", as do the default web listeners, but this one is tuned to 192.168.30.18 (and the default ones are manually tuned to only 192.168.30.8 because with two IPs, the "external" group covers both IPs)

Since this VM network is connected to my office subnet 192.168.30.0/24, I created a DNS zone on my production SBS and created the necessary records so that workstations on the .30 network can communicate with the VMNet. I access the SBS websites and Exchange from the 30.8 address and the 2nd Web site from 30.18.

Below is a ROUTE PRINT from an SBS2003 with ISA 2004 with one IP per NIC and then one from the VMWare system..

IPv4 Route Table - SBS 2003 Premium SP1 with ISA 2004 (one ip per NIC)
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 13 21 1c 49 94 ...... HP NC7761 Gigabit Server Adapter
0x10004 ...00 02 b3 9c c8 85 ...... Intel(R) PRO/100 S Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 66.224.217.217 66.224.217.218 1
66.224.217.216 255.255.255.248 66.224.217.218 66.224.217.218 20
66.224.217.218 255.255.255.255 127.0.0.1 127.0.0.1 20
66.255.255.255 255.255.255.255 66.224.217.218 66.224.217.218 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.7.0 255.255.255.0 192.168.7.2 192.168.7.2 20
192.168.7.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.7.255 255.255.255.255 192.168.7.2 192.168.7.2 20
224.0.0.0 240.0.0.0 66.224.217.218 66.224.217.218 20
224.0.0.0 240.0.0.0 192.168.7.2 192.168.7.2 20
255.255.255.255 255.255.255.255 66.224.217.218 66.224.217.218 1
255.255.255.255 255.255.255.255 192.168.7.2 192.168.7.2 1
Default Gateway: 66.224.217.217
===========================================================================
Persistent Routes:
None

IPv4 Route Table - SBS 2003 Premium SP1 with ISA 2004 (two IP's on WAN NIC)
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 79 eb f3 ...... VMware Accelerated AMD PCNet Adapter #2
0x10004 ...00 0c 29 79 eb fd ...... VMware Accelerated AMD PCNet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.30.1 192.168.30.8 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.26.0 255.255.255.0 192.168.26.2 192.168.26.2 10
192.168.26.2 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.26.255 255.255.255.255 192.168.26.2 192.168.26.2 10
192.168.30.0 255.255.255.0 192.168.30.8 192.168.30.8 10
192.168.30.8 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.30.18 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.30.255 255.255.255.255 192.168.30.8 192.168.30.8 10
224.0.0.0 240.0.0.0 192.168.26.2 192.168.26.2 10
224.0.0.0 240.0.0.0 192.168.30.8 192.168.30.8 10
255.255.255.255 255.255.255.255 192.168.26.2 192.168.26.2 1
255.255.255.255 255.255.255.255 192.168.30.8 192.168.30.8 1
Default Gateway: 192.168.30.1
===========================================================================
Persistent Routes:
None
Notice on the second routing table, the only difference is the line:
192.168.30.18 255.255.255.255 127.0.0.1 127.0.0.1 10
There are no persistant routes defined and the gateway and interface point to localhost, just like 30.8

Here is an ipconfig/all from the server:
C:\Documents and Settings\buddy>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : vm-sbs
Primary Dns Suffix . . . . . . . : gcs.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gcs.lan

Ethernet adapter WAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter #2
Physical Address. . . . . . . . . : 00-0C-29-79-EB-F3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.30.18
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.30.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.30.1
DNS Servers . . . . . . . . . . . : 192.168.26.2
Primary WINS Server . . . . . . . : 192.168.26.2
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-0C-29-79-EB-FD
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.26.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.26.2
Primary WINS Server . . . . . . . : 192.168.26.2


I'm not sure why this setup wouldn't work for you as well. It seems to show that there is only one gateway, but Web traffic flows from requests to 30.18, this I'm sure of.

Again, I'm unsure how to do this without ISA, but with ISA you get SSL to SSL bridging, which is totally cool. You would need a very expensive Checkpoint or Cisco router to match what ISA can do for Web Publishing. It may be much easier to upgrade to Premium edition and install ISA 2004 then to migrate onto W2K3 std edition.

I hope some on this info helps.

Buddy G ~

<charlie brown> wrote in message news:OxoVwzjcIHA.4880@xxxxxxxxxxxxxxxxxxxxxxx
--<
But I would first suggest to get rid of the extra NIC / router
combination. You can assign two IP addresses to the single WAN nic and
then add the proper route statements.

Thanks for the advise on this, but this kind of setup is also not workable
for SBS.
Even with persistent routing SBS can only have one gateway at a time.

I really think this is strange behaviour, I always thought that by default
packages arriving at a particular NIC / port are always answered back at the
same NIC / port (unless otherwise told --> setup).


The only solution I can think is to migrate the site to a win2k3 server,
which does support the usage of multi NICs / IPs / gateways.


--
«·´`·.(*·.¸(`·.¸ ¸.·´)¸.·*).·´`·»
«.............. CHARLIE ..............»
«·´`·.(¸.·´(¸.·* *·.¸)`·.¸).·´`·»


"Buddy" <buddy@xxxxxxxxxxxxxxxxx> wrote:
news:enkPDGzbIHA.4196@xxxxxxxxxxxxxxxxxxxxxxx
I'm guessing that you have more than one external static IP address and
that you want to use a different IP for each SSL website so that you can
use port 443 on both of them. You are correct that Host headers on SSL
don't work because the data is encrypted.

The only way I've ever done this is with ISA 2004 where you can configure
web listeners. But I would first suggest to get rid of the extra NIC /
router combination. You can assign two IP addresses to the single WAN nic
and then add the proper route statements. One thing to consider is that
with either two external NICs or two external IPs on a single NIC, the
CEICW wizard will not work any more. In order to run the CEICW, you will
need to disable the second external IP first, then put it back in after
the wizard has completed.

I'm unsure how to do this using RRAS. Hopefully someone smarter than me
can jump in?

Of course, many will tell you that hosting websites on a domain controller
is asking for trouble.

Good Luck

Buddy G ~

<charlie brown> wrote in message
news:OZFXWpwbIHA.748@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I am running a standard sbs2k3 server, with two SSL sites.

One site is on the default port (443) and the other is on 4043.
Both sites can be accessed from remote locations (the web).

Using port 4043 as a SSL port is not considered "nice".
I tried to use SSL Host Headers but this simply did not work.

So I inserted a second NIC in the sbs server and manually configured the
TCP/IP settings.
But for some kind of strange reason I am not able to connect to this
second NIC from the web. I can only connect to NIC2, when I disable NIC1.
Connecting to NIC2 in the private network / ip-range is no problem at
all.

It seems to me that sbs is routing the request back to the gateway
attached to NIC1.
I have never seen this with normal win2k3 servers, how can I instruct sbs
to route the requests to the gateway attached to NIC2?

Some specs :-

NIC1:
ip-address : 192.168.3.250
subnet mask : 255.255.255.0
gateway : 192.168.3.251

NIC2:
ip-address : 192.168.4.250
subnet mask : 255.255.255.0
gateway : 192.168.4.251

Both TCP/IP settings are configured manually.
Both gateways are routers connected to the CPE of the ISP, NAT is setup
correctly.

Kind regards,
--
«·´`·.(*·.¸(`·.¸ ¸.·´)¸.·*).·´`·»
«.............. CHARLIE ..............»
«·´`·.(¸.·´(¸.·* *·.¸)`·.¸).·´`·»






Relevant Pages

  • Setting up a multihomed server.
    ... I'm adding a second NIC to my home Win2003 Server so I can create a separate subnet in order to help me with preparation for 70-291. ... At the moment the machine doesn't seem to realise that is needs to act as a default gateway for the second subnet, rather than just having a second NIC with an assigned IP. ... Would I do this through adding static routes, or is there something else obvious that I've missed? ...
    (microsoft.public.cert.exam.mcsa)
  • Re: "Routing and Remote Access" in Windows Server 2003
    ... Set the default gateway of NIC B to NIC A. ... > say that I have to make sure no filtering blocks internet address, ... > Server computer. ... > In "Routing and Remote Access" I have added both NICS. ...
    (microsoft.public.win2000.ras_routing)
  • SSL on multiple sites in a virtually hosted WinServer 2003
    ... my ISP and its address is the public gateway. ... I am hosting several websites on the server. ... This setup works fine for only one SSL enabled site. ... one of the nics but it gets confused as to which gateway to send the packets ...
    (microsoft.public.windows.server.networking)
  • Default Gateway Reverts to Old Setting
    ... Having a problem with the default gateway setting on a WinSvr2003 Std box at ... This server is on the only IP subnet at the client's main office. ... The server has two identical 10/100/1000 NICs, ...
    (microsoft.public.windows.server.networking)
  • Re: Windows 2003 server loses default gateway
    ... The system is not a domain or DHCP server, just a production use FTP server. ... > Why do you have a default gateway set on your private side NIC? ... >> suddenly the public connection just started dropping the default ... >> INFO: Two seperate NICS. ...
    (microsoft.public.windows.server.networking)