Single IP, Web hosted on seperate internal server

Discussion in 'Windows Small Business Server' started by Craig Robinson, Oct 11, 2004.

  1. Hi, after some help!
    I ahve SBS2003 standard running with one external IP connected via
    broadband. SBS acts as a NAT server and I used remote access etc as usual.

    I ahev a second server (Windows 2000 running IIS) on my internal network.

    Two questions:-

    1. How do I target an incoming web (port 80) request to my second server
    which doesn't have a public IP address.

    2. What are the security implications of doing this?

    I note the concerns about hosting on SBS - hence the separate server.

    Many thanks,
    Craig Robinson, Oct 11, 2004
    1. Advertisements

  2. You'd have to use the public IP and forward traffic on port 80 to the LAN IP
    of the other server through your firewall/ISA. This means that if you aren't
    using SSL for OWA, you aren't going to be able to get to OWA from the
    Internet, mind...or if you were using port 80 for something else.
    It's still on your LAN, not even in a DMZ, so I still advise against this.
    Also, even in a DMZ, you need to run IISLockdown and URLScan on it - note
    that IIS is probably the most heavily attacked MS product, so it wouldn't be
    my choice if I were setting up a public webserver...I even wish I could run
    OWA on another platform, but that's another story.

    I do suggest that small offices just pay for external webhosting accounts -
    a simple account should cost about $10/mo or so and is worth the cost. k
    Lanwench [MVP - Exchange], Oct 11, 2004
    1. Advertisements

  3. Many thanks for your advice.

    I would love to use public web hosting but I need to run a customer
    application that uses data on our network. Looks like I am back to the DMZ
    and expensive firewall.

    Thanks again,

    Craig Robinson, Oct 11, 2004
  4. OK - just be *very* careful what ports you open up, and in which direction,
    between DMZ and LAN or you'll turn your DMZ into tissue paper. I wouldn't
    open up anything from DMZ to LAN - don't know what your apps are, but
    perhaps you can schedule some sort of export of the data from LAN to server
    in DMZ.

    Don't make the web server a DC, and make sure you lock it down as I
    mentioned with IISLockdown and URLScan.
    Lanwench [MVP - Exchange], Oct 11, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.