Strange Firewall Issue

Question

We have put a web server in place on a network, it was recently moved from a testing environment in another subnet to a different office. Now that we have the server in place, we can access it via its internal IP but cannot reach it on the assigned external IP. I am not sure what to do as normally, once you allow port 80 and 443 through and map the external IP to the internal you are typically up and running.

I even went so far as to disable the Firewall on the IIS server running server 2008. I can access the site on its internal ip on both HTTP and SSL. The Admin guy tells me the firewall has the proper settings in place but I do not have enough access to confirm. My usual logic tells me that if I can access it inside, as long as the firewall/router is configured correctly I should be able to get access outside the network as well.

This is server 2008 and not R2. I know that Windows 2008 can differentiate traffic from local and external nets in the firewall, but I figured that would have been bypassed by disabling windows firewall. My eyes keep going to the firewall but I want to make sure that I am not missing anything.

Is there anything other than what I mentioned that I should be checking? I am at a loss

Answer 1

"cannot reach it on the assigned external IP"

Where on the network is this being attempted from? Internally or externally? If internally, have you tried from an external point as well?

If its external IP is reachable from an external point, but not internally, then it may be the router's configuration/ability to "loop-back" traffic which crosses/transitions between internal-external-internal.

Answer 2

So your problem appears to be that you are having difficulty determining where the problem is, that is, whether the problem is on the new web server that has moved from a testing environment to another subnet.

Part of the confusion is with terminology. You need to clarify, if only for your own sanity between the network firewall (which may be using Checkpoint software based on your tags, but otherwise not mentioned), and the web server system's Windows Firewall on the web server.

For "external IP" I take it you mean a routable IP address that can be reached via the Internet, or in other words, not an RFC 1918 private IP address.

Without knowing the network topology, as alluded to by user48838 in his good answer, it is hard to say.

With the Windows Firewall enabled and logged rejected or denied connections, if you cannot see denied / rejected connections for web connection, or the failing network connection attempts in Event Viewer logs, then I would expect there to most likely be a problem with regards to the destination network address translation (D-NAT or DNAT) to forward the external requests to web server on your ineternal network with its internal IP. Other approaches to forward external IP addresses may be possible, but DNAT is the most common.

Being a Unix geek I would normally use tcpdump to verify this. So enable any host based TCP monitoring on the server (WinDump, Ethereal, or Wireshark) to see if there if it is receiving any TCP connection attempts for port 80 (HTTP) or 443. tcpdump "tcp port 80 or port 443"

Of course as @user48838 said, it may be a matter of your network is not set up to re-forward internal requests to your external IP addresses correctly, which can be a problem if you are trying to access the web server from the internal network. If this isn't a normal problem, you need to modify your testing procedures, such as using an external proxy for testing.

You didn't mention any proxy servers, do I assume there are not involved in this network setup.