Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: A design idea/issue...how can this be done

A design idea/issue...how can this be done 8 years 7 months ago #25644

  • knives24
  • knives24's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Ok I've come across design idea I would like to try and implement, but the more I look into it the more I beleive it may not be possible. Here is the basic plan.

I have one publicly available static IP address connected to a firewall/router which has two servers(server1 & server2) behind it with static private IP addresses assigned.

These two servers are hosting "like" services. What I mean by that is that both of these servers have a web server, ftp server, mail server, etc. running on them using standard ports.

What I would like to do is this. At my domain's registrar I want to create two subdomains, lets say server1.mydomain.com and server2.mydomain.com, and have them both pointing to this publicly available static IP address. When a request is made for a service that is hosted on server1.mydomain.com the request would successfully be directed to the server1 on my private network and when a request for a service on server2.mydomain.com it would be directed to server2 on my private network. The requested service from each of these machines could be anything; http, ftp, smtp, etc. So my question is, how can I accomplish this or is it even possible?

Let me clear a few things out of the way. I've tried just simple port forwarding and I know that it doesn't work, atleast with the network hardware I have available. To my knowledge you can't forward the same port to two different internal IP addresses. Before you suggest that I use just one server instead of two, for reasons beyond my control this really isn't possible. I have used Apache's mod_proxy and virtual hosts to redirect HTTP requests to different servers based on DNS name and that works fine but it really doesn't help when it comes to handling other services such as FTP and mail.

So I'm here for any help that any of you can give me. If you need me to clarify any particular point I'll try my best to do so.

Thanks in advance
The administrator has disabled public write access.

Re: A design idea/issue...how can this be done 8 years 7 months ago #25647

  • jstretch
  • jstretch's Avatar
  • Offline
  • New Member
  • Posts: 15
  • Karma: 0
Unfortunately, no, this isn't doable without some sort of middle man to separate the requests. Apache with mod_proxy works because HTTP uses a Host: line in the header to specify the canonical name of the server, in addition to its address in the IP header. As you say, FTP and other protocols don't provide this luxury.

It may be possible to assign state from DNS queries if you control your own DNS server, but I have no experience with this and to be honest isn't an ideal solution.

It seems like the most appropriate solution would be to obtain multiple public IP's from your provider.
The administrator has disabled public write access.

Re: A design idea/issue...how can this be done 8 years 7 months ago #25648

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
The web request one is easy as you have said. FTP i am struggling with unless you can also do the redirect based on FQDN similar to HTTP (not sure if you can myself, i would have used ISA Server to do it and i don't currently have access to one to test, my build one at some point, depends if i get a min).

SMTP is simple if you introduce a SMTP Gateway device that will then forward the e-mails to server 1/2 repectively. This is quite common to do your gateway scanning on a server and then forward it which ever server you need to. Alternatively, forward all e-mails to Server 1 and then get that server to send to Server 2 based on the FQDN.

Sorry its probably not much help.

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: A design idea/issue...how can this be done 8 years 7 months ago #25658

  • knives24
  • knives24's Avatar
  • Offline
  • New Member
  • Posts: 4
  • Karma: 0
Thanks for the responses. The more I thought about it the more I realized that this was probably something that wasn't easily do-able without middle-man devices. But before, just thinking it over myself, I thought it would be rather useful if I could do it this way, but as you guys have helped me realize its probably not the best way to do it.

If anybody else has any suggestions or would like to add anything I'm open for input.

And Smurf you are talking about Microsoft ISA Server correct? If you are, I think I have an available license I might look into building one myself.
The administrator has disabled public write access.
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup