1

I have two servers on my network both are running Windows server 2008 r2 and both are using IIS 7.

I currently have the subdomain mail.example.com pointing to our external IP (170.1.1.1) and then ports 80 and 443 forwarded to the exchange mail server (192.168.0.1) I would like to have web.example.com pointing to the same external IP (170.1.1.1) but have ports 80 and 443 forwarded to a different web server (192.168.0.2) Is there away to do this either through IIS, DNS or my router(Cisco ASA-5505)?

Drew
  • 11
  • 1

3 Answers3

6

A router or firewall can't do what you want, because it only handles TCP/IP traffic, and thus can only forward a given port to a given internal server; what you need is a reverse proxy, which, being able to understand HTTP(S) requests, can forward them to the right web server based on host headers. Microsoft TMG is a product which will happily perform this task.

However, if you are using HTTPS, things will get a little more complex, because only a given SSL certificate can be bound to a given IP address/port pair, so you will need a certificate capable of accepting both names.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • That is just making things unneccessarily complicated, instead of just buying another IP. – Frederik Sep 17 '12 at 18:31
  • 1
    @FrederikNielsen it does answer the question, though. – MDMarra Sep 17 '12 at 18:32
  • @MDMarra True, but it is still over complicating things :) Thats also why I didn't downvote it. It is a solution, but not the best. – Frederik Sep 17 '12 at 18:33
  • 2
    @FrederikNielsen, I totally agree. But this is what the OP asked for, so I answered it :-) – Massimo Sep 17 '12 at 18:33
  • You just need a reverse proxy that supports [SNI](http://serverfault.com/a/417580/126632), and for whoever is coming to your web site to not be using IE on Windows XP. – Michael Hampton Sep 17 '12 at 18:38
  • 2
    @@FrederikNielsen, while the use of a proxy may seem complicated to amateurs or beginners, on a site for professionals such an elementary and obvious solution is hardly seen as complicated. It's the way these things are generally done and any of us should be able to set it up in a fraction of the time it takes to acquire and configure the system for an additional IP address. – John Gardeniers Sep 17 '12 at 20:51
  • @JohnGardeniers I have never ever heard of a setup with a proxy like that - here we generally always use a new IP. Also, setting up a proxy introduces a new SPOF - if the proxy fails, everything fails. K.I.S.S. ;) – Frederik Sep 17 '12 at 21:03
  • 1
    @FrederikNielsen, these application proxies, as they're often called, are almost always designed such that you can use more than one in parallel specifically to avoid SPOF. If you go to any large-scale web site, you're almost definitely not directly hitting a web server - you're hitting something like haproxy or an F5 which is proxying your request the "real" server (likely one of a pool of servers) based on URL, hostname, or any number of relevant parameters from the request. :) It might be doing the SSL termination as well; the backend server probably isn't. – dannysauer Feb 27 '19 at 23:07
0

No.

You cannot forward the same ports to multiple destinations - that is simply not possible.

You would have to buy a few extra IP adresses for it to work.

Frederik
  • 3,293
  • 3
  • 30
  • 46
0

It's not possible to forward the same port to different host based on the FQDN of a request. DNS lives in the application layer, while port forwarding takes place in the transport layer. See the TCP/IP layer model.

Ansgar Wiechers
  • 4,197
  • 2
  • 17
  • 26