2 web servers

hawkes · 05-24-2001, 05:41 AM

Hi,

I have 2 web servers on my LAN, a Redhat Linux/Apache server and a IIS4 server. The Apache box is the main web server and uses a one-to-one route in the firwall to be seen on the web. The IIS server is running Web Outlook. I want to be able to put a page on my main server (eg. http://www.mydomain.com/webmail/link.htm ) that contains a link to the outlook interface pages (on the IIS) without having to expose the IIS server to the internet in the same way as the apache box.

Is this possible without placing the apache box in a DMZ (which my firewall won't do)???

Any help greatfully appreciated.

Ben.

raz · 05-24-2001, 09:51 AM

Hawkes,

Answer these questions and we might be able to give you a sensible answer.

Is your Linux Box also the firewall or just the web server.
What firewall software are you running. ?

Are the two web servers on the same subnet ?

/raz

hawkes · 05-24-2001, 09:56 AM

The linux box isn't the firewall, it is just the webserver. The firewall is a seperate device, a Sonicwall SOHO.

Both servers are indeed on the same subnet.

Hope this helps.

I have just read an article about using SSL and I am now thinking that I could open up the https port to the IIS server on a seperate IP address and redirect to that...

Any thoughts?

raz · 05-24-2001, 10:39 AM

Hi,

I guess you could do that, but unless your Linux box does some port forwarding for you, the external addresses will need to see the IIS4 box so it can talk back to them. "it's how TCP/IP needs to work to handshake"

The way I would do this if I was in your situation, would be to put up some simple rules and forwarding software on the Linux box.

I would tell the Linux box that it should forward packets on port 90 to the IIS4 post 80 internal address.

Then in the rules on the Linux box I would tell it that only connection from the local IP address with a SYN flag to the IIS4 IP address, all others dropped.
Then in Apache I would make link to it's IP on port 90.

Then no one could access it other then the Linux box when it forwards on requests, and the IIS4 box replies to the destination but through Network address translation via the Linux box through the firewall.

The only way to hack the box it to spoof a connection so it thinks it's come from the Linux box. "your general kiddie scripter looking for a bug in IIS4 will not get in"

A DMZ is where you have at least a tri-homed firewall network so other firewalls can increase security in a otherwise more insecure area of the network.. "DMZ".

Depending on what version of Redhat you have you can use, ipchains or iptables to do this + forwarding prerouting in iptables or ipmasqadm with ipchains.

/Raz