Topic: To DMZ or not

[Greg]

I have three 5.5U6 boxes running IPSEC, the main box is the mail server the two remotes just do file sharing.
I need to put on an IIS server behind the main server to run several domains using Cold Fusion and ASP.
Is there any way to do this, PortForwarding won't forward port 80 and Proxypass fails as soon as the internal web server changes to a CGI directory
Is there a way to use E-Smith or do I need to put on a plain Red Hat server as a Firewall.

[Kelvin]

Hi Greg,

Instead of a plain RH Server, why not use something like IPCop or Smoothwall which are designed as firewalls. They also run on lesser hardware than the current SME.

If the prospect of running yet another PC does not appeal to you, then consider a VPN Firewall hardware device.

Kelvin

[Greg]

No problem with another PC but I don't want to blow away the IPSEC that I have working. I am running SIP VOIP phones across the tunnel, along with mail and file access, which means I have put myself in a position of not being able to be down. I have enough spare PC's to set up a test of the whole mess.

I have no problem with leaving the E-Smith 5.5 up as the firewall if I could get port 80 through it, then I would just set another 5.6 box up behind it and put the web servers between the two

[Terry Brummell]

Have you stopped the httpd service before trying to forward port 80?  Also, when you test it it needs to be tested from the external side, port forwarding will not forward internal requests.  I've forwarded port 80 on my 5.5 server many times, works fine here.

[Greg]

I guess I can’t get there from here. Stopping httpd would bring down webmail, usermanager and config ability (easer than the console).
I don't want to replace the 5.5 server that's here with 5.6 because of the IPSEC (even in a test environment with clean installs IPSEC between 5.5U6 and 5.6U4 won't work)
How do you stop httpd on E-Smith chkconfig shows all off when its running.
I guess I could build a new 5.5 box and put it in front of the one I have now and Forward all the ports I need 25, 110, 80 so on Does portforwarding work on 5.5?

[Terry Brummell]

Admin server manager is run under admin-httpd (or something like that, port 980), not httpd.  But yes, you would lose webmail, and I'm not sure if user-manager uses httpd or admin-httpd.
Like I said, port forwarding works fine on 5.5, but if there is a service running on the port you wish to forward it must be stopped before the forwarding will work.

Terry

[Greg]

So what do you stop, all the httpd show off but something is running (confused).

httpd               0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd-admin     0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd-e-smith   0:off   1:off   2:off   3:off   4:off   5:off   6:off

[Guck Puppy]

You could always change the port that http is listening on as well.

http://www.familybrown.org/howtos/listen-port-howto.html

G

[Greg]

How close is http://www.familybrown.org/howtos/listen-port-howto.html
 to what I will see in 5.5 and 5.6 sence it's 5.1.2

[Guck Puppy]

The template in question still exists, it still references the same stuff, I'd say close enough.

Maybe Dan has some opinions on it?

G

[Boris]

I would give ProxyPass another try. Make sure you are using updated (by Abe Loveless) RPM. It works great for our Windows2000/IIS/ASP based pages behind SME main webserver.

[Kelvin]

Hi Greg,

>httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
>httpd-admin 0:off 1:off 2:off 3:off 4:off 5:off 6:off
>httpd-e-smith 0:off 1:off 2:off 3:off 4:off 5:off 6:off

SME Runs in runlevel 7, that's why it does not show up above.

Kelvin