Multiple IPs on single NIC connection issues

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,
I have a huge problem which I have been trying to resolve for 3 days now with no success.

I have been running our business website on II6 in a DMZ connecting back to the LAN SQL 2000 server on port 1433 with no issues for a few years. We now are looking to add another 2 websites onto IIS using virtual IPs on the single NIC identical to the above but a differing SQL box. This is wehre the problems begin!

IIS [DMZ]
NIC1 - 10.0.10.10 [connect to server1 on 1433]
Virtual IP on NIC1 - 10.0.10.11 & 10.0.10.12 [connect to server2 on 1434]

SQL [LAN]
Server 1 - 192.168.40.40
Server 2 - 192.168.40.41

On the firewall I have created 3 access rules to allow websites to connect back to the relative SQL boxes on SQL ports above but as soon as I start the new website to connect to SQL server 2 it 404s the original website. Firewall logs show attempts from the primary IP [10.0.10.10] to access SQL Server2 which will never work as there is no access rule for this!

Even when a client accesses the website on 10.10.10.11 the connection is initiated by 10.10.10.10 [primary NIC] which is casuing me grief as I cant host more than one website now!

As a test I setup a firewall rule to allow Telnet full access from DMZ to LAN. Telnet to the 192.168.40.40 sql box from IIS is fine, but to the 192.168.40.41 fails. I need to somehow force the connection to be made from the virtual IP on NIC1 but am clueless how to!

I am really lost here and have delayed the rollout of the 2 additonal website because of this, any ideas appreciated

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Have you tried this without the virtual IP's?

Just add the websites in IIS and then give them different host header names.

eg: www.website1.com, www.website2.com, www.website3.net

We have a couple of sites hosted through IIS that connect to SQL, and I don't think there's anything special setup for them.

 

Hi Stoney, thanx for the reply.
I did try this but theres some confusion when the SQL attempts to route from DMZ to LAN. As I said there are 2 differing SQL servers on the LAN, when the connection is initiated on the website the packets get sent to the wrong server: ie:

website1 should route on 1433 to sqlserver1
website2 should route on 1434 to sqlserver2

What actually happens is website2 connects on 1434 to sqlserver1 breaking both websites..

Baffling me I can tell you..

 

I'm not familiar with your entire setup so don't know how workable this will be for your entire situation. In open source products I can customize what ports will be used by the individual database servers and the ports each Apache virtual server or instance will go looking for at each database server. If you can do the same, and I seem to remember that port settings are at least customizable on SQL Server, that should solve your problem.

 

Have you tried creating an access rule to open up 10.0.10.10 to the second sql box to see if the websites work then? I'm not too sure how IIS deals with virtual IP's but it sounds like it acts as some sort of NAT agent for the virtual IP's. At the moment all traffic is originating from the IP on the physical NIC.

Are the virtual IP's visible on the LAN.? Are they registered in DNS at all? Can you ping the websites hostname or virtual IP?

 

Hi,
yes this is the same in my setup:

IIS [DMZ]
NIC1 - 10.0.10.10 [connect to server1 on 1433]
Virtual IP on NIC1 - 10.0.10.11 & 10.0.10.12 [connect to server2 on 1434]

SQL Server[LAN]
Server 1 - 192.168.40.40 listening on 1433
Server 2 - 192.168.40.41 listening on 1434

The problem is the connection to Server2 on UDP 1434 cant get through. I can telnet this server on that port from any LAN machine, but impossible to do so on the webserver even after creating an access rule to route?

Cheers

G

 

On my firewall NAT allows any to any interface so any traffic from DMZ to LAN is allowed. Then on the access rules you filter traffic as required, with the last rule being deny any to any. As a test I disabled that rule effectively allowing any traffic from DMZ subnets to LAN subnets, still no success!

I can ping the virtual IPs from the LAN..

Arggghhhh!

 

Hmm, have you ever heard the phrase cant see the wood for the trees!!

Taking your advice I put all websites on the primary NIC using host headers, then created an access rule to allow 1433 TCP, 1434 TCP & 1434 UDP from primary NIC to both SQL servers. This works!!

However, I now have another problem. Each website needs SSL which cant be done using this method, hence my original attempt at stick each on a virtual IP.

Wonder why I cant initiate the SQL connection from a virtual IP?

Thanx for you clear thinking though, it made me sit back and look from a different angle..

 

Take a look at this.

http://www.microsoft.com/technet/pr...108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true

 

Do you have any SSL certificates installed on the server? As Freddy's link suggests, you can't configure SSL host headers yourself.

This link may help you as well, although I think you may have gone past this point now.

 

Thanx to you all for your kind input, the websites are up and connecting to SQL so short term I may still get to enjoy xmas festivities

Will leave the SSLs till next year.

Merry xmas

 

garyb,

Which operating system is "IIS6" installed on?