Results 1 to 10 of 10

Thread: Servers and UT

  1. #1
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default Servers and UT

    Hi there

    I have a problem, and need a helping hand.

    My setup:
    • I have 3 IP Addresses
    • I have 1 UT box (twin NICs)
    • 3 Servers
    • Server ONE is at IP **.**.**.102 - Running CenTOS - will deliver a number of web applications.
    • Server TWO is at IP **.**.**.103 - Running Windows Server 2003 SBS
    • Server THREE is at IP **.**.**.104 - Running CenTOS - Running the corporate website and web applications.
    I have 3 IP addresses.

    It seems that Port Forwarding doesn't work right - as whenever I want to use a Source Address to tie down any forwarding from a certain IP to a server it doesn't seem to work, as I want to be able to:

    • Direct a SUBDOMAIN to Server ONE - may also want some port 443 directing here for secure applications
    • Direct all web/mail relevant to SBS to Server TWO - OFW etc
    • Have the website as well as some other subdomains on Server THREE.


    Is there an easy way of ensuring this happens or is it a bug within the Port Forwarding?

    Thanks In Advance
    Last edited by johnfromdon; 01-22-2010 at 02:41 PM.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    can you post a screenshot of your port forwarding rule.

    keep in mind if you specify a source address only traffic *from* (not *to*) that address will be forwarded.
    additionally, forwarding is done by IP, it has no knowledge of domanis or subdomains - thats purely a function of your DNS.

    http://wiki.untangle.com/index.php/P...shooting_Guide
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    Quote Originally Posted by johnfromdon View Post
    • Direct a SUBDOMAIN to Server ONE - may also want some port 443 directing here for secure applications
    • Direct all web/mail relevant to SBS to Server TWO - OFW etc
    • Have the website as well as some other subdomains on Server THREE.
    You cannot "port forward" based on host headers. The device that does that is called a reverse proxy. That feature doesn't exist within untangle. You can forward ports in Utnangle based on standard routing practices, meaning IP and port matches. You cannot have 1 IP address dynamically going to different servers based on a change in the host header.

    If you require that feature you need to configure a reverse proxy server to accept all incoming web requests and configure that proxy to go to the appropriate internal server based on each request. You need a web server to read host headers...

    Yes ISA server can do this, it's because IIS7 is capable of doing reverse proxy work. Apache 2 is as well, but Untangle's GUI doesn't have the stuff in it to pull this off.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Tim
    Tim is offline
    Newbie
    Join Date
    Feb 2009
    Posts
    9

    Default

    I agree with dmorris.

    Untangle, like most firewalls, cannot do the http/s redirection that you want as far as I know.

    The port forwarding can do what you need if you have 3 external IP address you can specify one external IP address for each server.

    Redirects based on hostname happen at the server level, but all of the websites would then have to be on the same server. (I'm assuming IIS, since you mentioned SBS).

    In your case you need:
    External IP x.x.x.1 Port 80 to Internal IP 192.x.x.1 (Server 1)
    External IP x.x.x.2 Port 80 to Internal IP 192.x.x.2 (Server 2)
    External IP x.x.x.3 Port 80 to Internal IP 192.x.x.3 (Server 3)
    Then external DNS should be:
    www.something.com to x.x.x.1
    subdomain.something.com to x.x.x.2
    mail.something.com to x.x.x.3

    Any traffic with a destination of x.x.x.1 will go to server 1, and so on...

  5. #5
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default

    I cannot attach, as I am not near server but the following:

    If all of the following conditions have been met:
    and Destined Local
    and source address: **.**.**.103
    and Destination Port: 443
    and Protocol: TCP

    Forward traffic to the following location:
    New Destination: 192.168.2.200

    But I want to be able to do - as well:

    If all of the following conditions have been met:
    and Destined Local
    and source address: **.**.**.102
    and Destination Port: 443
    and Protocol: TCP

    Forward traffic to the following location:
    New Destination: 192.168.2.205

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by johnfromdon View Post
    I cannot attach, as I am not near server but the following:

    If all of the following conditions have been met:
    and Destined Local
    and source address: **.**.**.103
    and Destination Port: 443
    and Protocol: TCP
    This will only forward traffic from **.**.**.103
    I'm guessing you mean Destination Address.

    You'll also need to move untangle administration off port 443 if 103 is untangle's main IP.

    I'd just remove this rule, and start over but this time do not use an advanced rule, just use a simple rule.
    edit: if you have multiple external IPs then I guess you'll need to use advanced mode - just pretend like "Source Address" doesn't exist.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default

    @Tim - I have my domain parked and have the DNS set to each of the servers as mentioned. No my websites are on the CenTOS Linux boxes - I only use the SBS for the email and the Web Access for Outlook.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,491

    Default

    Quote Originally Posted by johnfromdon View Post
    I cannot attach, as I am not near server but the following:

    If all of the following conditions have been met:
    and Destined Local
    and source address: **.**.**.103
    and Destination Port: 443
    and Protocol: TCP

    Forward traffic to the following location:
    New Destination: 192.168.2.200

    But I want to be able to do - as well:

    If all of the following conditions have been met:
    and Destined Local
    and source address: **.**.**.102
    and Destination Port: 443
    and Protocol: TCP

    Forward traffic to the following location:
    New Destination: 192.168.2.205
    You can't do that... Destined Local means "destined to an IP assigned to untangle" You can't forward 443 twice.

    You need 1 public IP address for each TCP 443 instance you want to forward to each internal server.

    If you have 3 web servers that need to run secure web sites you need 3 public IP addresses on your untangle. Then you rip out destined local, replace it with destination address, and put in the specific IP you want to assign to the specific server. Then you also need to get your NAT policies lined up so the web server NATs back to the correct address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Tim
    Tim is offline
    Newbie
    Join Date
    Feb 2009
    Posts
    9

    Default

    Yep. sorry I see what each server is running now that I look back at your post.
    dmorris is right, the source should be any.
    You probably don't even need the source address part of the rule.
    Just correct the Destination Address = external IP address of server (e.g. x.x.x.103)

  10. #10
    Newbie
    Join Date
    Dec 2009
    Posts
    6

    Default

    Is UT going to be having this functionality in future?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2