You can try if you'd like , sonicwall . i am pretty sure in the sonicwall OS it will allow the user to set up multiple servers and route properly, however using port 80 and having two servers on the same lan using the same port i would think would be difficult only since i don't even know how that can work. other then the firewall appliance routing proerly which i think the sonicwall does.
formatting link
and
formatting link
sells them for the lowest price I've seen. $289 for the SonicWALL TZ150 and then the cost goes up from there.
formatting link
does have a demo you can try for free to log into a virtual administration server and look at all the things it can do. It's got one heck of an OS, the SonicOS is awesome in my opinion. So at least this way you should be able to see if it will do exactly what you want. The help system in the SonicOS is really good too in my opinion.
I agree with Lythos, you simply CANNOT put a Windows machine on the public internet. Not that Windows is that bad of a product, just that it isn' designed to be a "firewalled OS".
Do you really need two machines? If all your running are websites with mail ability, even a mid level machine will suffice. As stated above by someone else, with Apache you can redirect someone to another website on the same IP by the requested DNS/URL
Example:
formatting link
= IP 192.168.10.10
formatting link
= IP 192.168.10.10
Apache will read the requested domainname and redirect the request to the appropriate server instance.
Yes, Apache runs on 2003, and yes it is a bit more difficult than IIS, and yes it has more features and is just as stable as 2003 will let it be!
As far as the pop/smtp, that also could all reside on the same box. Even easier than the Websites actually.
As far as firewalls go, m0n0wall
formatting link
will do everything you need, and then some. It is free, will run from a floppy/CD/compact flash/hd.
The newer sonicwalls have an intrusion prevention subscription service available that inspects incoming tcp streams for known IIS exploits and kills the connection if it looks as if an exploit is being attempted. Works quite well in my experience.
Not the way he described. 1 outside IP address, 1 port (port 80) being natted to two different IP addresses - which one it gets natted two depending on the URL that was requested. Not to many firewalls do layer
I am setting up two 2003 standard edition web servers. I am thinking I would be better off with a hardware firewall between these servers and the internet.
The only services they will need to run are: smtp 21 pop 110 htp 80 https 443 ftp 21 And remote desktop 3389 (I think)
Since there are two servers the firewall must have some way to route incoming requests to the proper server. For example lets say server's
1 domain name was domainTest1.com and server's 2 domain name was domainTest2.com. Requests for port 80 on the domain domainTest1.com would be routed to the IP of server 1, and requests for port 80 on the domain domainTest2.com would be routed to the IP of server2. The same thing is required for the other services/ports.
1) Do I need a hardware firewall if I am running 2003 standard edition? All unneeded services will be turned off including windows file sharing.
2) What hardware firewall you anyone recommend? I was looking at the cisco 501 and 506e, but the traffic on these servers is small, counted in the hundreds of hits a day, not thousands.
If you want to servers to serve pages based on domain names then you'll need two IP addresses. A single server can serve many domain name pages based on name, but a firewall will not direct site names between servers. You will configure a public DNS record for each site, point the sites at two IP addresses (one for each) and then create rules that map the public IP to the proper server.
As for the rest, do you really want to allow POP to the server through the Public connection? Are you trying to run a small web server that you sell space on?
A proper firewall, like a WatchGuard Firebox 700 would protect your investment properly.
If you want to go on the cheap then you could purchase one of the higher end routers that permits multiple public IP addresses on the WAN port and just forward to the proper LAN IP.
I would never put a MS machine directly on the Internet. I've installed several hundred servers over the years, all MS, and never had a compromised server - but I never use ISA and I never setup a server directly connected to the Internet.
'need' is an interesting word. I'd say you probably would be well advised to use a hardware firewall based on what you've said so far.
Are you sure? and incidentally, do you need to disable anything at all if you're servers are safely behind a good firewall?
SnapGear 710 if you need rackmount or one of the cheaper units otherwise.
Only other comment I have is that two servers sounds overkill based on what you've said so I must assume there is more to this project than there seems. Make sure whichever firewall you choose can handle the throughput.
First a clarification. The servers are dual xeon 2.88 machines so they are overkill as it is. All the services listed will be running on ONE of the servers. It will have one smtp/pop email server (Rockliff Mailsite) serving up multiple email domains. And it will be running iis hosting different web sites each with different IPs and ftp and remote admin. The machine that is being replaced by this new one already has multiple web sites and email domains as described - so I already know how to do all this on one machine, but thanks for the informative replies anyway?
The other server is running an app that uses one "weird" port, lets say port 1234 and remote admin.
Joe
----- I talked to the sonicwall folks and for a "low end" router the TZ170 looks pretty serious for a great price. And it will handle everything I need to do here and the ability to filter spam/malware at the firewall level (Macfee engine- would prefer the nod32 engine tho) is a great feature. I am almost certainly going to go this route. Thanks for the tip!
Leythos
----------- You said - "do you really want to allow POP to the server through the Public connection?" Well yes. My company has a domain name that has emails associated with it and I have users that need to read their email. I have had pop 110 open to the public for years now. Am I missing something here?
Smooter
formatting link
looks cool! I don't have the time to deploy this setup with something like that but for future things like a better setup at the office putting an old PIII 600mhz machine to use for something like that is an interesting idea. Thanks for the tip.
William Tasso
------------------- In response to my statement:
You said: "Are you sure? and incidentally, do you need to disable anything at all if you're servers are safely behind a good firewall?"
Well here is why. These two machines will physically be on the same LAN behind the firewall. I don't need file sharing between them. So I was thinking that if one was compromised it would be better to turn off windows file sharing on both machines to limit the possibility that the compromised machines could be used to hack the second. What do you think now that is clarified?
T. Sean Weintz You said: Not the way he described. 1 outside IP address, 1 port (port 80) being natted to two different IP addresses - which one it gets natted two depending on the URL that was requested. Not to many firewalls do layer
7 aware natting like that.
Sorry for the somewhat vague first post. Each web site/ ftp site will have DIFFERENT IP addresses.
------------------------------------------------------------------------------------------ So, right now it looks like theTZ170 unless further comments tell me better.
This was my first post to this group. It rocks! Thanks everyone?
Well, it's always a good plan to turn off any and every unnecessary service on any server for reasons of performance /and/ security.
I have set up many projects similar to that you described. Usually, but not always, I configure each server to be a functional duplicate of its neighbour and make regular data transfers between them so that each is a warm standby unit for the other.
With two NICs in each box, file sharing doesn't need to be available on the public facing network.
For SMTP(25), HTTP and HTTPS, this coudl be achived by inserting proxy services, the protocol includes the hostname.
For POP, if you constrained the usernames to be of the form snipped-for-privacy@host1.example.com, there are some POP servers that can hand-off to other pop servers.
For FTP you are stuffed. You could run int on different ports, and route these differenrtly, but that might cause firewall problems for the remote users.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.