Re: sbs 2008 - no Internet access possible to 2nd server
- From: "Cliff Galiher" <cgaliher@xxxxxxxxx>
- Date: Mon, 5 Jan 2009 09:25:31 -0700
Inline.
-Cliff
"Eric Visser" <evisser@xxxxxxxxxxx> wrote in message news:D9EE433E-F345-42F1-92A5-575FD8D787C4@xxxxxxxxxxxxxxxx
Your summary was correct.There are *two* questions here (even if you didn't realize it.)
Thanks for your suggestions.
I tried the 8080 one and that works.
Now I can re-route the user at least to any application either on server1 or server2. Great!
One security question: Why is the above not a good practice apart from the user impact with :8080?
From a security perspective, as previous posts have mentioned, running awebserver on your LAN is bad. This has nothing to do with whether you use port forwarding or IP forwarding. IIS can have security flaws and if your webserver gets compromised, it is better to have that server on its own network (DMZ) so the baddies don't get back to your LAN.
The user impact of :8080 isn't a security issue either way. But you'll find that user impact to be significant. I have had clients, in the past (and sadly, will assuredly in the future) insist that I use the 'free' port forwarding setup. *Nowhere* that I've implemented port forwarding has been happy with that solution, and has eventually caved and switched to purchasing a second IP from their ISP. Getting an end-user to type :8080 (0r 8081, or 61234...pick a free port) is a training hurdle that most non-geeks grasp. They don't understand why, so they forget to do so. And where the computer geek knows that the webserver usually operates on port 80, we can make the leap and *remember* 8080 (just 80 twice.)
Average-joe CFO who wants to check his webmail probably has a limited view of how the web works. He is used to *every* other site out there just being www.someserver.com. These days he doesn't even need to type in https. Somewhere on the http site a redirect eventually happens. He probably only has a limited grasp of the concept of IP addresses, because he doesn't need to, and probably knowns NOTHING of port numbers. So asking him to remember to type :8080 is tricky. That is a completely arbitrary number to him. For every user that bookmarks pages, there is one that doesn't, and those support calls, and user frustration, rack up quickly.
Just thought I'd give you a heads up on this aspect. It isn't insignificant.
server1 is firewalled (MS factory settings), and server2 is firewalled (MS factory settings);Nothing is ever 100% protected. Part of managing a server is risk management, mitigation, and recovery. So the premise that there is little difference between port or IP based forwarding *is* accurate, but that doesn't mean your infrastructure is *protected.* It is better to put a highly accessible server, such as a web server, in its own little world...regardless of the method used at your edge to reach it. As I outlined above, the user experience and the security considerations are very separate issues. You can (and should) segregate your web server...even if you stay with a port-forward scheme.
SBS2008 and WS2008 Firewall with Advanced security is loaded with numerous inbound rules and outbound rules.
As an illustration the number of inbound rules and outbound rules: SBS2008 185 /64 WS2008 with application roles 64/65.
Previous posts suggested also a re-direct from the web to the servers. Whether Port or IP-address based is a similar approach.
So I assume that the infrastructure is protected. Correct?
Tkx..
"Miles Li [MSFT]" <v-mileli@xxxxxxxxxxxxxxxxxxxx> wrote in message news:KJEs11xbJHA.5460@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
Thank you for posting here.
According to your description, I understand that:
You want to publish a web site on the second server in the SBS domain
while your router forwards all Internet traffic to the SBS server (server
1).
If I have misunderstood the problem, please don't hesitate to let me know.
Suggestions:
======================
Agree with Larry that it is not a good practice to publish web site in the
internal network. For ensure the network security, we recommend you to
implement a 3-Leg perimeter network or back and front firewall network and
publish the web sites that is hold on the servers in DMZ. Moreover, with
Microsoft Forefront edge security ISA you can deploy web public rules for
internal sites with high expansibility.
In your scenarios that you are not sure whether the router can hold
multiple IP, you can try to redirect the a different port for the web site
publishing on the Sever 2. For example, you can redirect the port 8080 to
the Server 2's port 80. Then external users will be able to access the web
sites on server 2 with the URL http://external IP:8080.
Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.
Best regards,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Follow-Ups:
- Re: sbs 2008 - no Internet access possible to 2nd server
- From: Miles Li [MSFT]
- Re: sbs 2008 - no Internet access possible to 2nd server
- References:
- sbs 2008 - no Internet access possible to 2nd server
- From: RickV
- RE: sbs 2008 - no Internet access possible to 2nd server
- From: Miles Li [MSFT]
- Re: sbs 2008 - no Internet access possible to 2nd server
- From: Eric Visser
- sbs 2008 - no Internet access possible to 2nd server
- Prev by Date: Exchange on SBS2003 ~ Timeouts
- Next by Date: Multiple Exchange servers in SBS or EBS 2008?
- Previous by thread: Re: sbs 2008 - no Internet access possible to 2nd server
- Next by thread: Re: sbs 2008 - no Internet access possible to 2nd server
- Index(es):
Relevant Pages
|
