Servers and UT

[johnfromdon]

Hi there

I have a problem, and need a helping hand.

My setup:

• I have 3 IP Addresses
• I have 1 UT box (twin NICs)
• 3 Servers
• Server ONE is at IP **.**.**.102 - Running CenTOS - will deliver a number of web applications.
• Server TWO is at IP **.**.**.103 - Running Windows Server 2003 SBS
• Server THREE is at IP **.**.**.104 - Running CenTOS - Running the corporate website and web applications.

I have 3 IP addresses.

It seems that Port Forwarding doesn't work right - as whenever I want to use a Source Address to tie down any forwarding from a certain IP to a server it doesn't seem to work, as I want to be able to:

• Direct a SUBDOMAIN to Server ONE - may also want some port 443 directing here for secure applications
• Direct all web/mail relevant to SBS to Server TWO - OFW etc
• Have the website as well as some other subdomains on Server THREE.

Is there an easy way of ensuring this happens or is it a bug within the Port Forwarding?

Thanks In Advance

[dmorris]

can you post a screenshot of your port forwarding rule.

keep in mind if you specify a source address only traffic *from* (not *to*) that address will be forwarded.
additionally, forwarding is done by IP, it has no knowledge of domanis or subdomains - thats purely a function of your DNS.

http://wiki.untangle.com/index.php/P...shooting_Guide

[sky-knight]

• Direct a SUBDOMAIN to Server ONE - may also want some port 443 directing here for secure applications
• Direct all web/mail relevant to SBS to Server TWO - OFW etc
• Have the website as well as some other subdomains on Server THREE.

You cannot "port forward" based on host headers. The device that does that is called a reverse proxy. That feature doesn't exist within untangle. You can forward ports in Utnangle based on standard routing practices, meaning IP and port matches. You cannot have 1 IP address dynamically going to different servers based on a change in the host header.

If you require that feature you need to configure a reverse proxy server to accept all incoming web requests and configure that proxy to go to the appropriate internal server based on each request. You need a web server to read host headers...

Yes ISA server can do this, it's because IIS7 is capable of doing reverse proxy work. Apache 2 is as well, but Untangle's GUI doesn't have the stuff in it to pull this off.

[Tim]

I agree with dmorris.

Untangle, like most firewalls, cannot do the http/s redirection that you want as far as I know.

The port forwarding can do what you need if you have 3 external IP address you can specify one external IP address for each server.

Redirects based on hostname happen at the server level, but all of the websites would then have to be on the same server. (I'm assuming IIS, since you mentioned SBS).

In your case you need:
External IP x.x.x.1 Port 80 to Internal IP 192.x.x.1 (Server 1)
External IP x.x.x.2 Port 80 to Internal IP 192.x.x.2 (Server 2)
External IP x.x.x.3 Port 80 to Internal IP 192.x.x.3 (Server 3)
Then external DNS should be:
www.something.com to x.x.x.1
subdomain.something.com to x.x.x.2
mail.something.com to x.x.x.3

Any traffic with a destination of x.x.x.1 will go to server 1, and so on...

[johnfromdon]

I cannot attach, as I am not near server but the following:

If all of the following conditions have been met:
and Destined Local
and source address: **.**.**.103
and Destination Port: 443
and Protocol: TCP

Forward traffic to the following location:
New Destination: 192.168.2.200

But I want to be able to do - as well:

If all of the following conditions have been met:
and Destined Local
and source address: **.**.**.102
and Destination Port: 443
and Protocol: TCP

Forward traffic to the following location:
New Destination: 192.168.2.205

[dmorris]

I cannot attach, as I am not near server but the following:

If all of the following conditions have been met:
and Destined Local
and source address: **.**.**.103
and Destination Port: 443
and Protocol: TCP

This will only forward traffic from **.**.**.103
I'm guessing you mean Destination Address.

You'll also need to move untangle administration off port 443 if 103 is untangle's main IP.

I'd just remove this rule, and start over but this time do not use an advanced rule, just use a simple rule.
edit: if you have multiple external IPs then I guess you'll need to use advanced mode - just pretend like "Source Address" doesn't exist.

[johnfromdon]

@Tim - I have my domain parked and have the DNS set to each of the servers as mentioned. No my websites are on the CenTOS Linux boxes - I only use the SBS for the email and the Web Access for Outlook.

[sky-knight]

I cannot attach, as I am not near server but the following:

If all of the following conditions have been met:
and Destined Local
and source address: **.**.**.103
and Destination Port: 443
and Protocol: TCP

Forward traffic to the following location:
New Destination: 192.168.2.200

But I want to be able to do - as well:

If all of the following conditions have been met:
and Destined Local
and source address: **.**.**.102
and Destination Port: 443
and Protocol: TCP

Forward traffic to the following location:
New Destination: 192.168.2.205

You can't do that... Destined Local means "destined to an IP assigned to untangle" You can't forward 443 twice.

You need 1 public IP address for each TCP 443 instance you want to forward to each internal server.

If you have 3 web servers that need to run secure web sites you need 3 public IP addresses on your untangle. Then you rip out destined local, replace it with destination address, and put in the specific IP you want to assign to the specific server. Then you also need to get your NAT policies lined up so the web server NATs back to the correct address.

[Tim]

Yep. sorry I see what each server is running now that I look back at your post.
dmorris is right, the source should be any.
You probably don't even need the source address part of the rule.
Just correct the Destination Address = external IP address of server (e.g. x.x.x.103)

[johnfromdon]

Is UT going to be having this functionality in future?