Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2586 posts

Uber Geek
+1 received by user: 751


Topic # 196534 3-Jun-2016 12:18
Send private message

We will soon be deploying an on premises web server, but ports 80 and 443 are already forwarded to Exchange for ActiveSync.

 

Obviously I will have a separate external A record for each server, but since they will both be resolving back to a single public IP I'm not sure how to redirect the traffic internally based on the requested URL.

 

How do you clever people deal with this kind of thing?





 Home:                                                           Work:
Home Work


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4
979 posts

Ultimate Geek
+1 received by user: 640

Trusted

  Reply # 1564978 3-Jun-2016 12:21
3 people support this post
Send private message

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)




2586 posts

Uber Geek
+1 received by user: 751


  Reply # 1565008 3-Jun-2016 12:48
Send private message

Andib:

 

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

 

 

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

 

So reverse proxy is the only way of achieving this?


 
 
 
 


277 posts

Ultimate Geek
+1 received by user: 15


  Reply # 1565015 3-Jun-2016 12:59
Send private message

Citrix NetScaler Unified Gateway, single IP in front of multiple different backend systems.


What does this tag do
995 posts

Ultimate Geek
+1 received by user: 211

Subscriber

  Reply # 1565017 3-Jun-2016 13:02
Send private message

Microsoft Web Application Proxy (Role on Server 2012 R2)


12 posts

Geek
+1 received by user: 4


  Reply # 1565019 3-Jun-2016 13:04
Send private message

Paul1977:

 

Andib:

 

You will need to setup a reverse proxy, We use TMG (Although this will change soon as it's coming to EOL).

 

I use nginx on my home to do this (4 separate VMs each having multiple services using port 80 / 443)

 

 

I was reading about reverse proxies. Our firewall vendor tells us that it can't be configured as a reverse proxy (although various Googles seem to contradict that).

 

So reverse proxy is the only way of achieving this?

 

 

The reverse proxy uses `Host` to separate different services.

 

http://nginx.org/en/docs/http/server_names.html

 

http://nginx.org/en/docs/http/request_processing.html

 

All these processes can be deployed on a same hardware. Thus no need to worry about the firewall.

 

                                  |------------------Your home side -------|

 

                                  |                           => Web service 1

 

Internet ==> Firewall ==> Reverse proxy => Web service 2

 

                                  |                           => Web service 3

 

                                  |------------------------------------------|


936 posts

Ultimate Geek
+1 received by user: 304

Trusted

  Reply # 1565023 3-Jun-2016 13:09
One person supports this post
Send private message

There are 2 reasons why you would want to do this.

 

1) One server is not enough or 

 

2) You want to utilize a web server you already have. By running more hosts on it.

 

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

 

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

 

Or you could use a mixture of both. 

 

 

 

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address. 

 

You can hand off Node.js via PM2  or PHP via PHP-FPM processing to other machines. 

 

The other option is you could buy more IP's.

 

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do. 








2586 posts

Uber Geek
+1 received by user: 751


  Reply # 1565028 3-Jun-2016 13:14
Send private message

jnimmo:

 

Microsoft Web Application Proxy (Role on Server 2012 R2)

 

 

The idea is to have a separate webserver in a DMZ for client access, and our Exchange on the main LAN.

 

If we deployed the webserver on a 2012 R2 could that function as both the proxy and a webserver? E.g:

 

Firewall points inbound web traffic to 2012 R2 server, if request is for mail.company.com it forwards the traffic to Exchange server, if request is for portal.company.com to forwards it on to itself?




2586 posts

Uber Geek
+1 received by user: 751


  Reply # 1565035 3-Jun-2016 13:22
Send private message

darylblake:

 

There are 2 reasons why you would want to do this.

 

1) One server is not enough or 

 

2) You want to utilize a web server you already have. By running more hosts on it.

 

If its #1, you should look at making the IP address work as a load balancer and serve proxy the traffic off other hosts.

 

If its #2 use virtual hosts. Where the incoming request determines which Vhost the request would be routed to.

 

Or you could use a mixture of both. 

 

 

 

Personally I would use NGINX to achieve this. The product is perfect for serving static content, and can passthrough so much stuff to servers behind the public address. 

 

You can hand off Node.js via PM2  or PHP via PHP-FPM processing to other machines. 

 

The other option is you could buy more IP's.

 

I can help you with an Apache or NGINX config if you want... I really need to know a bit more about what you are trying to do. 

 

 

Thanks Daryl,

 

Basically just want to have a separate webserver in a DMZ for a customer portal, while keeping Exchange in our main subnet - but both behind the the same public IP.

 

New webserver will be deployed on a new Windows server.


14512 posts

Uber Geek
+1 received by user: 2670

Trusted
Subscriber

  Reply # 1565042 3-Jun-2016 13:36
Send private message

You can't offer two services on the same public IP / port combination. So you need to change your current setup or add a new domain. Suggest you create a subdomain (ie a new A record) (eg customerportal.example.com) and run nginx as a proxy server to these web servers. Nginx is pretty easy.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


895 posts

Ultimate Geek
+1 received by user: 285


  Reply # 1565044 3-Jun-2016 13:39
Send private message

I use haproxy for this.

 

If you want https servers behind the proxy, haproxy has a neat feature where it can sniff the hostname from an SNI handshake and direct traffic to the correct internal server accordingly.  It can also, if you run it on the router/gateway the webservers are using, fake the source IP of the TCP connections it makes to your webserver, so that they appear to come from the original source IP, not the IP of the haproxy box.




2586 posts

Uber Geek
+1 received by user: 751


  Reply # 1569162 10-Jun-2016 09:34
Send private message

darylblake: The other option is you could buy more IP's.

 

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

 

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

 

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

 

Thanks


14512 posts

Uber Geek
+1 received by user: 2670

Trusted
Subscriber

  Reply # 1569164 10-Jun-2016 09:36
Send private message

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




2586 posts

Uber Geek
+1 received by user: 751


  Reply # 1569188 10-Jun-2016 09:56
Send private message

timmmay:

 

You may be ok with one IP. Does ActiveSync address the server by domain name or by IP?

 

 

By domain name, but I'd still need a reverse proxy for this to work wouldn't I since ports 80 and 443 need to be forwarded to different internal servers depending on the requested URL?

 

I was hoping it might be possible to avoid needing a reverse proxy by having multiple public IPs.


2499 posts

Uber Geek
+1 received by user: 748

Trusted
Lifetime subscriber

  Reply # 1569198 10-Jun-2016 10:11
Send private message

You have the option of moving ISPs if for some reason this solution is simpler for you.  We use Snap.net.nz (now 2Degrees) and have multiple static public IPs on our VDSL connection.

 

Or just add a second broadband connection to the building if the expense can be justified.

 

Does the workload REALLY have to be on site?

 

Or is it time to consider moving email to Office 365 or similar which would free up Port 443?





"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

695 posts

Ultimate Geek
+1 received by user: 245

Trusted
Spark NZ

  Reply # 1569202 10-Jun-2016 10:15
Send private message

Paul1977:

 

darylblake: The other option is you could buy more IP's.

 

This seemed like a good idea, but Spark have come back and said "We can only assign one Static IP to each broadband connection I am afraid. This is a system issue, not a business rule."

 

I tend to take what Spark first level support tell me with a grain of salt, as I have been given incorrect info in the past.

 

Can anyone confirm if the above is definitely the case? @cbrpilot do you have any knowledge about this?

 

Thanks

 

 

 

 

Yes this is correct.  We only support a single IP address per Broadband connection.





My views are my own, and may not necessarily represent those of my employer.

 1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Huawei unveils the P30 series
Posted 27-Mar-2019 05:13


Kordia announces recipient of inaugural Women in Technology Scholarship
Posted 26-Mar-2019 22:48


T&G Global and Abundant Robotics show first commercial robotic apple harvester
Posted 26-Mar-2019 21:34


Amazon introduces new Kindle with adjustable front light
Posted 21-Mar-2019 20:14


A call from the companies providing internet access for the great majority of New Zealanders, to the companies with the greatest influence over social media content
Posted 19-Mar-2019 15:21


Two e-scooter companies selected for Wellington trial
Posted 15-Mar-2019 17:33


GeForce GTX 1660 available now
Posted 15-Mar-2019 08:47


Artificial Intelligence to double the rate of innovation in New Zealand by 2021
Posted 13-Mar-2019 14:47


LG demonstrates smart home concepts at LG InnoFest
Posted 13-Mar-2019 14:45


New Zealanders buying more expensive smartphones
Posted 11-Mar-2019 09:52


2degrees Offers Amazon Prime Video to Broadband Customers
Posted 8-Mar-2019 14:10


D-Link ANZ launches D-Fend AC2600 Wi-Fi Router Protected by McAfee
Posted 7-Mar-2019 11:09


Slingshot commissions celebrities to design new modems
Posted 5-Mar-2019 08:58


Symantec Annual Threat Report reveals more ambitious, destructive and stealthy attacks
Posted 28-Feb-2019 10:14


FUJIFILM launches high performing X-T30
Posted 28-Feb-2019 09:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.