Server 2008 2 Internet connections Help

[cyberdec]

I need to set up a server so it will work as follows NIC 1 to Internet 1 handling ALL internet traffic NIC 2 to Internet 2 to handle all incoming web and rdp traffic. currently if NIC 2 is not the default gateway then no RDP traffic works. If NIC 2 is the default gateway the all traffic goes on NIC 2. Either way there is no access to other ervers for RDP.

NIC 1 cannot have 3389 open.

 

[JustAGuy51]

I can think of 2 things for your situation: 1st one, firewall based, will work, the 2nd I am not sure since I am not familiar with Windows server stuffs

1) You can configure the firewall where your Windows server sits in so that it will forward either web or 3389 traffic to NIC 2. Caveat is this won't have any effect on internal users behind the firewall

2) Assume that your Windows box is running Linux. With the iptables, you can specify a set of rules so that when it sees either 80 or 3389 traffic come in via NIC 1, it will *redirect* to NIC 2 interface. Now, either your web server or the app that handles RDP will *never* see those request because they are at the application level and you already did redirects at the network level. This will work for everybody, internal or not.

The problem with #2 is I do not know iptables equivalent in Windows. I already check out pktfilter and in its doc, it says:
"This kind of functionnality can only be implemented in a NDIS intermediary driver."

Hope that helps! If you find out a way to do it, please let me know. I am learning things too.

 

[cyberdec]

Thanks for this I am not sure it will be a great help but it is another option.

You mentioned iptables I assume this is the routing table. Can you define the entries you think would solve this problem and maybe I can adapt them to the windows environment.

 

[JustAGuy51]

I reread your situation and here is your problem:
"currently if NIC 2 is not the default gateway then no RDP traffic works"
All you want is all outgoing web/RDP packets to have NIC 2 IP (and yet keep NIC 1 as default gateway)

You need "Source NAT"; if packet contains source port web/rdp and source address is NIC 1, then change source IP to that of NIC 2. Here is extra complexity; this source address translation need to be made *before* the routing decision by the kernel, so that kernel will send it to NIC 2.

If source NAT is made *after* routing decision, it will go out of NIC 1 interface but with NIC 2 address. I still don't see any big problem with this. A small problem may be your network switch might get a little confused: NIC 2 IP address coming into the port where NIC 1 MAC is mapped to.


As for NIC 1, still keep it as default gateway. I know that Windows server support NAT but not sure if it support Source NAT (guessing it does). If you want a bit
more info about this Source NAT/Destination NAT thing, go to www.netfilter.org and read there a bit. Netfilter = Iptables; iptables are not routing table thou the name
implies that.

I did spend some time thinking for you and I like to know the resolution. Please let me know how you solve it or if this works out.

 

[cyberdec]

Thanks again for your reply. I am not sure I have explained the problem correctly so I will try to again.

I have 2 internet connections, The first one NIC1 is used for ALL internal Internet access. It is an externally firewalled and restricted network with all the bells and whistles of content filtering etc. So this is to remain as the only way someone on the internal network can get out to the internet.

We have just decided to deploy terminal services to everyone as a way to combat the ongoing cost of replacing computers all the time and this is going well.

What I want to do is allow remote access for staff from home. On NIC1 I cannot do this as I cannot open any ports etc. So I got another DSL connection where I can do what I want so long as it does not compromise the current access policies. ie not one internally will be able to use this connection.

While I do not have to I thought it would be a good idea to have this on a second NIC and simply use routing to stop all other access.

As far as it goes everything works fine with the second NIC in and connected BUT when I try to RDP into the server via the new DSL I get no response.

After much grief and swearing I found that if NIC2 was the default gateway then it worked. Allbeit not exactly as I want but it does work.

It turns out that in server 2008 you do not need to use port 3389 you can just install Terminal Services Web Access and use port 443 (HTTPS) from a web browser and then log onto any server at the site is the Terminal Services Server Farm.

This however does not word as I have not set up internal routing from NIC2 to NIC1 and I dont want to until I can get thic gateway problem sorted.

I look at the routing tables on the server and they all seem fine but I guess I do not know enough about routing to fully understand them or how routing can help.

The problem seems to be that when the request comes in on IP 192.168.1.1(new router) the reply is sent via 10.1.1.1(the old router) a stmbling block for me is to understand what the routers and the server are seeing in the packets. Does the server respond to the source address (203.44.91.224) or the router address 192.168.1.1 where the packet cane from. If the responce is to the source address then I cannot see a way to resolve this without setting up boarder gateways and all that stuff.

Does this help in any way or have I just muddied the water even more.

 

[JustAGuy51]

Actually, source NAT in my previous post will work if you find something equivalent. Try googling "sNAT windows server" if you want.

I know exactly what your problem is:


Client-----------DSL Rtr/Public IP 2----
| |
| Windows 2008 Server
| |
--------------Main Rtr/Public IP 1-----


When client sends web/RDP request, here is the path packet takes:
1) web/RDP packet leaves the client
2) packet reach DSL public IP
3) DSL router redirects it to 2008 server. In this case, packet source IP doesn't change but destination IP becomes 2008 NIC 2 IP
4) 2008 sees it and process it and send back reply. Now a crucial pt: since source IP is non-local network, it sends out to default gateway which is Main Rtr private IP 10.1.1.1
5) Main router NAT the reply to its public interface IP. This time, packet source IP becomes main rtr public IP, packet dest IP is client IP
6) When the client receive the response back, it will *reject* it because it never sends the request to your main router in the first place

Some behavior of Windows servers:
In this case, your 2008 server have 2 IP addresses assigned belonging to 2 different subnets, meaning it knows 2 default gateways. But it will only use one default GW at any given moment and your server choose/(weigh more) main rtr private IP. Only in the case of failure, it will reorder and choose DSL private IP as the default GW

There are 2 solutions: 1st one Windows based, 2nd one network based

1. Take a look at reply post by Adamu Garba on this link:
http://forums.techarena.in/server-networking/891196.htm
It seems ISA server MMC console can redirect traffic to desired NIC based on IP, ports, etc. Caveat might be additional cost. If you want to follow this route, I can no longer help you.

2. If you look at step 4, server reply went to 10.1.1.1 because client source is from the Internet. Now imagine if the client source IP is from the local network, the reply will never go to main rtr's private Ip but directly to local client. How can we make it so that original request *seems* to come from local network? The answer is set up either reverse proxy OR a NAT device between DSL rtr and 2008 server. This is work-around from network angle. Caveat here is you might need to set up a Linux box: try finding non-Linux solution. If Linux, research on 'netcat' for reverse proxy and all Linux distros have NAT built-in.

Btw, what you are planning to do is called a ba-ck-do-or. If somebody finds out about your DSL connection, they will follow the least protected path. So think about proper protection for your DSL link too. Also, if I were you, I wouldn't post that public IP address on forums. Hope it helps!

 

[JustAGuy51]

In the figure, my whitespaces are zapped by the forum software. Put 2008 server and bars (right most, above and below) to at the end of dotted lines so that the figure will look like a rectangular box.

 

[cyberdec]

Dont worry all the IP addresses are made up

 

[JustAGuy51]

I recently found a good info on how to bind one NIC to one gateway. See this thread and the post by somenon:

http://www.tomshardware.com/forum/24551-42-windows-2003-server-network-cards-multi-homed-connection-help

Of course, kudos go to "somenon"

JustAGuy51

 

[matbanik]

This might be not exactly what you are looking for but I just thought I add my two cents on how to change the RDP in Win 2008 with firewall enabled:

http://www.iteezy.com/change-rdp-3389-port-on-windows-2008-server/qc/10098&q=server

I need to set up a server so it will work as follows NIC 1 to Internet 1 handling ALL internet traffic NIC 2 to Internet 2 to handle all incoming web and rdp traffic. currently if NIC 2 is not the default gateway then no RDP traffic works. If NIC 2 is the default gateway the all traffic goes on NIC 2. Either way there is no access to other ervers for RDP.

NIC 1 cannot have 3389 open.