dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2141
share rss forum feed

deancollinsb

join:2013-06-09

Multiple Websites for sbs 2003 and USG-100

Ugh!! I just purchased a Zywall USG-100 and am pulling my hair out after spending all Sunday trying to work out what the heck i'm doing wrong.

I have a little bit of networking experience having configured ISA2004 but this USG-100 is so UI challenged and the user guide doesn't seem to answer my specific issue (or i'm obviously missing it as this is pretty basic requirement).

Basically the reason for the usg-100 purchase is I'm upgrading to SBS2008 for my home office (currently using SBS2003).

Because SBS2008 is no longer is a 2nic solution and no longer has ISA built in I purchased a USG-100 (overkill for my home office requirements but figure faster=better).

I have spent the whole day trying to work this out and am at throwing it out the window stage.

Basically my plan was install the USG-100 between the cable modem and the SBS2003 box this sunday, get used to the config and then change up the network next sunday so it would run cable modem-usg100-24 port switch to the various servers and workstations (1 x sbs2008, 2 laptops, 2 desktops, 1 media server, 1 asterisk pbx and a second windows server 2008 that I run about 20 websites on).

basically the outbound traffic is fine, I worked out how to get an 72.x.x.x ip address for the usg-100 from my cable modem and the dhcp scope for desktops is still using the sbs2003 server 192.1.1.0/24

However my issue is WHERE on the usg-100 do I configure the www addresses it is supposed to allow on the sbs2003 and server 2008???

Basically any FQDN url I type from the wan (and and or lan) is going to the zywall log in page?

Even if I setup a firewall rule allow any from wan to access Lan1......it still doesn't work.

What am I missing?

ZW_Joe

join:2005-10-08
San Anselmo, CA
What I do is set the Admin USG WAN ports to 8080 and 8443 (CONFIG > SYSTEM > WWW.) This way you're off of 80 and 443 anyway. Make sure you have a NAT rule to direct traffic from WAN IP to LAN IP of SBS and FW rule. Create the objects or services defining all these first. The when you build your rules you'll see the objects or services.

Also, calling ZyXEL support has always been awesome. They'll even login and help you set this all up. I have a dedicated login for them.

This is funny. I used to run SBS03 and ISA. I'd say once you get the hang of the USG, you'll find its way easier than messing with ISA. ISA is pretty powerful and flexible, but dang. I love my USG100.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to deancollinsb
YOu need to create a virtual server rule in NAT (port forwarding) and an associated firewall rule Wan to LAN for any services you want to make accessible to the public.

- On the interface page for the LANs it states where they get DNS resolution.

= on the DNS page under system I think there is a whole page dedicated to FQDN and domain forwarding yaddi yaddi its greek to me but sounds like its where you need to be.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

deancollinsb

join:2013-06-09
reply to ZW_Joe
So just confirming moving service ports involves going to Configuration/system/www and changing https server port from 443 to 8443

Can you please confirm this.

(just making sure I don't need to change the setting in the ADMIN SERVICE CONTROL section just below from ALL to 8443)

Also wouldn't you have an issue using http on 8080 with the firewall client ports for ISA2004?

ZW_Joe

join:2005-10-08
San Anselmo, CA
said by deancollinsb:

So just confirming moving service ports involves going to Configuration/system/www and changing https server port from 443 to 8443

Yes. You change HTTP on the same page, just below as well.

said by deancollinsb:

Also wouldn't you have an issue using http on 8080 with the firewall client ports for ISA2004?

Not sure I follow you. This is only for accessing the USG. You'll need to map a WAN IP to the IP (object) of the SBS server's IP using NAT. If there are any services (WWW, FTP, etc.) you'll need to included these as well. The you create a firewall rule to allow Any to to this WAN IP using any rules you need, etc.

deancollinsb

join:2013-06-09
hmmm problem, when I change the management ports to 8443 I get logged out of the usg-100 and cant log back in 9cant see the page)

Even when typing »192.168.1.1:8443

....i'm assuming i'm being blocked by ISA2004 but even though I select this as an outbound port....cant get it to appear in my browser.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to deancollinsb
Hmmm, I use a non standard port and dont redirect from http to https (thus you really have to know on my lan what to type in).

did you ensure the admin login is available in the page, ie the LAN has access?

deancollinsb

join:2013-06-09
sorry but why would changing port numbers affect this "admin login is available in the page, ie the LAN has access"


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
it wouldnt, I was grasping at straws as perhaps he was frigging with the rules and didnt happen to mention changing them, (occurs often when trying to help )

deancollinsb

join:2013-06-09
just spent 1hour with Zyxel support....nice people but no one there undesratnds sbs2003 apparently and no one has ever filmed a configuration video with sbs2003 even though 100,000+ companies in the USA use it.

Also told I cant PAY for paid support to talk to someone who has used it.

Basically they are saying that because I am refusing to allow the zyxel to be the sole dhcp that there will be a doublenat issue and I need to purchase an IP address for each and ever website I run or display it using different ports.....

WTF?????????????????

Why sell a box with 5 ports if you can only map 1 url at a time.

I think i'm going to toss this box out the window and get a real firewall that understands how to work with a dns that it doesn't control, so frustrated I've spent over 30 hours trying to figure this shit out and half of it isn't even documented in the pdf.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to deancollinsb
I believe the better way to run multiple external facing servers is through public IP address, ie get a block from your ISP.

If you want to run servers behind the zywalls own public IP, then you will run into difficulties but they may be surmountable. You will have to create virtual server rules and associated firewall rules such that access from those outside the router (wan side) can reach your servers.

Due to port forwarding restrictions you will only be able to forward any individual port once. Ie you cannnot port forward a port to more than one address on the LAN. You can port forward as many ports as you wish to the same lan address. If you need more than one server which utilizes the same port (lets say multiple FTP servers) then your choices are.
a. change the port on the server (easy)
b. get public IPs to assign to the server (easy but $)

There are no restrictions on the same port being used on the router if you have a block of IPs. So if you had 5 useable IPs, you could have 5 servers (one with port forwarding associated with the router IP and 4 direct to servers on the LAN (only need fw rules for these ones).

If I have missed the mark or can shed more light on the troubles then better assistance can be provided.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
reply to deancollinsb
said by deancollinsb:

WTF?????????????????

Your one and only problem was your assumption; Hey, I managed to get ISA2004 working, how hard can this Zyxel thingie be?

RTFM for starters here »ftp://ftp.zyxel.com/ZYWALL_USG_100

USG is fully capable to host SBS with multiple web servers and other services on it.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to deancollinsb
I also recommend reading through all the support notes, 2008, 2010 and 2012, lots of examples and explanations.

deancollinsb

join:2013-06-09
reply to Brano
I read the manual....but when you have only 3 paragraphs on exposing an internal website to the internet there is a problem (and yes i'm as surprised as you isa2004 was easier to work out than zywall).

deancollinsb

join:2013-06-09
reply to Anav
cool, i'll check them out, I downloaded the latest copy of the manual, aren't they included?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
reply to deancollinsb
The built-in help is also very useful. Often better than manual IMO.

deancollinsb

join:2013-06-09
reply to Anav
what I don't understand is how come you cant have a dns that handles which server the actual websites are located on.

eg I have 30 to 40 different websites running......surely I don't need an ip address for every site-if sbs 2003 can handle this (over 10 years ago) was is zywall so far behind (especially when I probably costs about the same as isa2004).

I kept thinking I must have been missing something obvious and making a mistake when I couldn't figure it out in over 8 hours trying different things.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
If all the 30 sites are on one physical server then ZyWall can handle this easily ... basic setup.

If these 30 sites are split between let's say two physical SBS servers then you need a) either two WAN IPs or b) have half the sites that point to 2nd server run on alternate port.

For the DNS approach you'd need deep packet inspection for HTTP and perhaps get it working, but that won't work with HTTPS and you're back to basics.

deancollinsb

join:2013-06-09
yes they are on 2 servers now but i'm planning on beefing up my server and running vm's.....which would basically mean even more servers which is why i'm surprised zywall is unable to handle something so basic.

I keep thinking i'm missing something.

deancollinsb

join:2013-06-09
reply to Brano
very cool, just been checking it out.....didn't think this would be different to the pdf (haven't noticed anything yet but will spend some more time checking these out).......disappointing that zywall don't have better documentation.

Is there a zywall for dummies 3rd party book/website you recommend?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

4 edits
reply to deancollinsb
You're saying basic, so how/what device can handle this the way you want? Especially when the traffic is encrypted for port 443? Perhaps some devices with packet inspection and assuming all servers support SNI could do it, but I'm pretty sure basic sub $1000 router can't

Firewalls (USG and similarly priced) are operating on Layer 3 & 4 (IP, TCP/IP).
DNS, HTTP, DHCP and other services are on Layer 7. ...so issue right here.

The how "browsing works". Client wants to access www.foo.bar. Browser sends DNS request and gets response that www.foo.bar is on 100.100.100.100. TCP session is initiated to 100.100.100.100 (note not to FQDN). The TCP session carries HTTP protocol with the FQDN which the receiving server opens and if it's configured for "Named based hosting" it will spit out the appropriate www.foo.bar web page.

So back to your statement "'i'm surprised zywall is unable to handle something so basic" ...I'm not so surprised, it's expected behaviour. That said if you had this configured with some other router I'd like to know please for my education.

----

Back to your config (assuming only one SBS with multipe web hosts)

1) Ensure your USG has public IP on it's WAN port (check that your modem is not doing NAT)
2) Ensure port 80 and 443 are not used (move your USG management to different ports or even better disable it for WAN side)
3) Create NAT (Virtual server) from your WAN IP to your SBS LAN IP.
4) Punch WAN-to-LAN firewall hole(s) for the above
5) Ensure your SBS has static IP or DHCP reservation and correct gateway (since you moved it from some old setup it's worth double-checking things)
6) Double check your policy routes just in case.

Note:
0) For multiple physical servers on LAN you need multiple public IPs or running services on alternative ports with one IP only.
1) Firewall rules are evaluated from top to bottom (first match takes it)
2) Policy rules are evaluated from top to bottom (first match takes it)
3) Some other tips »Secure your USG - quick how-to

EDIT: Alternatively IPv6 may be solution for your multiple servers

EDIT2: Or reverse proxy as mentioned here »Re: WAN to ANY

deancollinsb

join:2013-06-09
I guess the reason why i'm surprised is the ISA2004 now almost 10 years old can do this.

I'm thinking what I need to do is pick up a spare server, install windows2008 and isa2007 on it and have it front end the network before the switch/sbs/servers/workstation.

I appreciate your input though, like I said just surprised about something pretty basic getting this complicated. I'm surprised anyone running vm's across multiple machines not having an issue with this and the only advice is....buy more ip addresses.

BTW how do you even buy ip addresses on the end of a cable network?

JPedroT

join:2005-02-18
kudos:1
said by deancollinsb:

I appreciate your input though, like I said just surprised about something pretty basic getting this complicated. I'm surprised anyone running vm's across multiple machines not having an issue with this and the only advice is....buy more ip addresses.

BTW how do you even buy ip addresses on the end of a cable network?

Thats because people that usually run multiple servers on different VMs got multiple IP addresses.

Your Virtual host solution is made to work with 1 server with 1 address. If you add a server to serve more hosts you need a unique address for that server. This is the "normal" way to do things when you step up from soho/smb size.

Now you want to go to VMs which is fine, but what you are actually doing is adding more servers. And each server needs an IP.

Now you can get routers/firewalls that does what you want, but we are talking about more high end equipment. Which means a higher pricetag.

As for your cable question, maybe your cable provider has a business option/offer that includes multiple ip addresses.
--
"Perl is executable line noise, Python is executable pseudo-code."

deancollinsb

join:2013-06-09
cant get commercial fixed ip addresses from time warner in a residential location.

basically i'd need to switch to Verizon dsl.....not an option. I'd prefer to go back to a MS Isa2004 solution first.

I'm still stunned that zywall is totally ignorant about dns's and no one else is trying to run multiple servers on a USG100.....


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
said by deancollinsb:

I'm still stunned that zywall is totally ignorant about dns's and no one else is trying to run multiple servers on a USG100.....

I have to say it again, you're comparing apples with oranges. Two totally different products. You bought a wrong product for the desired functionality.

deancollinsb

join:2013-06-09
so why bother packaging 5 Ethernet connections on a device that can only route a single port to one Ethernet connection.... unless you are going to have one device handling email, one port 80 http, one gaming etc

Like I said I don't understand why it cant pass all traffic to a dns and then allow the dns to do its thing.

JPedroT

join:2005-02-18
kudos:1
Because the ethernet ports are just a switch with options for some L2 and L3 things.

But you are asking for L7 features, which means DPI and that causes serious performance penalty.

And also this is nothing to do with DNS, its about the HTTP request (servername field?), which means its out of the domain of what the ZyWALL cares about.

»en.wikipedia.org/wiki/Virtual_hosting

Now you could argue that with its DPI functions that it already peeks into the packets, but its for a simpler deny/allow mechanic than push the packet this way or that.

So basically you have acquired wrong piece of equipment for the problem you are trying to solve.

I am no expert in virtual hosting, but why do you need 2 nics on your SBS to do virtual hosting? I do it with apache on Linux with no issues, but I am only running about 10 domains on kvm ubuntu installation I got.
--
"Perl is executable line noise, Python is executable pseudo-code."

toysoft

join:2008-07-24
reply to deancollinsb
I am running an USG Zywall, with 8 Static Public IPs, with servers / DNS etc, all working properly (having some configuration issues for emails IP, but that's not your issue here).

The Zywall is connected to the ISP via a modem in Bridge mode, the Zywall then redirect the Public Static IP to internal IPs (on the LAN, or DMZ), so in such situation it's possible to have up to 8 servers running and multiple domains as you can host more than 1 domain per IP. You can use packages such as BlueQuartz to build a server with DNS/HTTP/FTP/SSH/etc services, that your Zywall will redirect the ports to.

TS


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

1 recommendation

reply to deancollinsb
said by deancollinsb:

so why bother packaging 5 Ethernet connections on a device that can only route a single port to one Ethernet connection.... unless you are going to have one device handling email, one port 80 http, one gaming etc

Like I said I don't understand why it cant pass all traffic to a dns and then allow the dns to do its thing.

Hopefully, throught the thorough, patient and high quality of advice and education you have received visiting this exemplary forum, your undertanding has been expanded.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to toysoft
Hi toysoft thanks for the informative post.

I have a much simpler setup but I do have two ISPs with the main one being 80-30 and the minor one being like 1.5 and .75 etc. The minor is kept due to need for keeping old ISP email accounts. What I have done for this is simply create a policy route that tells the router for any traffic originating on the LAN1 destined for the minor ISP mail IP (object), your next hop is the WANMINOR interface.

I dont know if that helps with your email issues but its worth a shot.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment