Jump to content
RESET Forums (homeservershow.com)
Sign in to follow this  
Shoop

Remote web access to second WHS 2011?

Recommended Posts

Shoop

I couldn't find anything in the router such as "drop ICMP requests". 

 

Let me make sure I understand this.  To access the server I have to connect to it through the domain name host (in this case Microsoft).  This explains why the pings to the router fail, but i can still connect to my 1st server using my "xxxxx.homeserver.com" address provided by Microsoft. So to bypass the problem connecting to the second server, I add the extension :8443 to the ip address to bypass the domain name host(Microsoft) and go to the router. In the router the external ports 8125, 8443, 8080 are converted to 4125, 443, 80 to connect to the second server and avoid port overlap with the first server. Is this correct?

Share this post


Link to post
Share on other sites
ikon

Mostly correct. Adding 8443 doesn't bypass Microsoft. The 8443 gets added to the IP address that Microsoft returns to the Domain Name resolution request. Effectively, the final address looks like xxx.xxx.xxx.xxx:8443. That's what gets sent to your router (pretty much). Then, as you say, the 8443 gets translated to 443 by your router, and it also figures out what IP on your LAN to send the packet to because of the 8443.

Share this post


Link to post
Share on other sites
ikon

To avoid searching the entire thread, which make and model of router is it?

Share this post


Link to post
Share on other sites
jmwills

The image showing the model was removed.  Seems like it was a Cisco/Linksys 6630 or something like that.

Share this post


Link to post
Share on other sites
jem101

At the risk of confusing you even more, the way it all works and what you need to look out for is this.

 

Imagine that you have a single server (Server1) with an (internal/private) IP address of 192.168.0.1. Your ISP allocates you an external (private) IP address of 123.5.6.7 say and using the wizard you setup a Microsoft domain name of say shoop.remotewebaccess.com. Your router has using uPnP so the server can configure it all, so far so good.

 

From the outside world you open a web browser and enter https://shoop.remotewebaccess.com. The browser (well more accurately the PC) makes a DNS lookup to see where shoop.remotewebaccess.com points to and finds that this name resolves to 123.5.6.7. The browser sends the request to this address and it is picked up by your router. The router knows that https traffic (which is TCP port 443) is to be sent to Server1, i.e. you are port forwarding 443 to 192.168.0.1. The server responds and sends the web page back to the PC. And that's that.

 

But now you complicate the system, you introduce a second server (Server2 on 192.168.0.2) and you would like to also be able to access it from the outside world. The problem is that the web service part of the new server is listening for connections on port 443 also and your router can only forward such traffic onto one server not both. Now here's the trick, you leave Server1 alone, on Server2 you could change the listening port but that means getting your hands dirty with IIS configuration which is not to be undertaken lightly and has a really high chance of messing up anyway. So you leave Server2 listening on port 443 and make use of a feature referred to as port address translation-we need to choose a different port number lets say 444

 

So back to our external PC, we open a web browser and enter https://shoop.remotewebaccess.com:444. This tells the browser to make an https connection but use port 444 instead of the default 443 - it still uses the Microsoft domain name, which still resolves to your public IP address (123.5.6.7) and so this request is received by your router. Now if you configure your router properly, you tell it that if it receives traffic using port 444, it is to translate that to port 443 and forward it onto Server2. Server2 sees a request for web access on the port it is expecting (443), responds accordingly and your browser displays the page.

 

So what you need to do is setup the port forwarding rules on your router to be

If traffic is received using port 443, keep it the same port number but forward it to Server1

If traffic is received using port 444, translate that to port 443 and forward it to Server 2

 

How you actually do this varies from router to router but the basic principle is the same. In this case uPnP is not going to work and will just make a complete dog's breakfast of the whole thing-you'll have to set it up manually. Turn off uPnP on your router, probably both servers will whinge about it and complain about stuff not being setup properly but that's just tough luck on them.

 

Good luck

 

 

 

John

 

 

 

By the way, I'm fairly sure you don't need to bother with port 4125 or 80, there really shouldn't be any need to connect from the outside world via http (port 80) if you can use https and 4125 used to be used for Remote Web Workspace in the SBS 2003 days but I think all that is tunnelled over 443 now as well.

Edited by jem101

Share this post


Link to post
Share on other sites
ikon

nice jem101. I especially like the "that's just tough luck on them" :D

 

shoop, the only thing I would add to jem101's post is to not use a port number such as 444 in real life. I understand why jem101 used it for purposes of the example but, in real life, it's much better to not use any ports below 1024: i.e. use port numbers between 1025 and 65535. It won't hinder your efforts at all to use the higher port numbers. It's just that port numbers below 1025 are considered 'reserved ports' and generally have pre-designated purposes.

Share this post


Link to post
Share on other sites
jmwills

Shoop,

 

Did you add a Firewall rule to allow the odd numbered port access to the server?  Such as 8080 and 8443?

Share this post


Link to post
Share on other sites
ikon

Good point.

Share this post


Link to post
Share on other sites
jmwills

Success!

 

The bindings on the IIS Site have to match whatever port number you are using or you will get redirected over to the main server..  Not that big of a deal to do ( but I work with this stuff everyday too)

 

Administrative Tools>IIS Manager>Expand The Sites Folder and select Default Web Site.  In the Action Pane on the right hand side, choose Bindings and Edit by highlighting HTTP and changing the port number and the same for Https.  This is where you change the ports to the alternate ports

 

I am using Ports 8080 and 8443 for which I also created a Window firewall rule to allow those ports access to the server (See Advanced Settings).  Ports 8080, 8443, and 8125 were forwarded to the Second Server as internal Ports 80, 8443,

and 4125.  I think where shoop got this off was showing internal ports for both sets of forwarders.  I left the default alone but added the second set, if that makes sense.

Share this post


Link to post
Share on other sites
ikon

So it's not as simple as I thought/hoped. I had such high hopes too. Bummer. :( It's a pain having to change the IIS default ports.

 

I wonder how the 2nd server knows to send the packets over to the 1st one?

 

Anyway, glad you got it working, and it's great to have it documented so well. Thanks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  



×
×
  • Create New...