Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Greg on May 19, 2003, 04:37:55 PM

Title: To DMZ or not
Post by: Greg on May 19, 2003, 04:37:55 PM
I have three 5.5U6 boxes running IPSEC, the main box is the mail server the two remotes just do file sharing.
I need to put on an IIS server behind the main server to run several domains using Cold Fusion and ASP.
Is there any way to do this, PortForwarding won't forward port 80 and Proxypass fails as soon as the internal web server changes to a CGI directory
Is there a way to use E-Smith or do I need to put on a plain Red Hat server as a Firewall.
Title: Re: To DMZ or not
Post by: Kelvin on May 19, 2003, 05:44:06 PM
Hi Greg,

Instead of a plain RH Server, why not use something like IPCop or Smoothwall which are designed as firewalls. They also run on lesser hardware than the current SME.

If the prospect of running yet another PC does not appeal to you, then consider a VPN Firewall hardware device.

Kelvin
Title: Re: To DMZ or not
Post by: Greg on May 19, 2003, 06:17:18 PM
No problem with another PC but I don't want to blow away the IPSEC that I have working. I am running SIP VOIP phones across the tunnel, along with mail and file access, which means I have put myself in a position of not being able to be down. I have enough spare PC's to set up a test of the whole mess.

I have no problem with leaving the E-Smith 5.5 up as the firewall if I could get port 80 through it, then I would just set another 5.6 box up behind it and put the web servers between the two
Title: Re: To DMZ or not
Post by: Terry Brummell on May 19, 2003, 07:08:12 PM
Have you stopped the httpd service before trying to forward port 80?  Also, when you test it it needs to be tested from the external side, port forwarding will not forward internal requests.  I've forwarded port 80 on my 5.5 server many times, works fine here.
Title: Re: To DMZ or not
Post by: Greg on May 19, 2003, 07:52:22 PM
I guess I can’t get there from here. Stopping httpd would bring down webmail, usermanager and config ability (easer than the console).
I don't want to replace the 5.5 server that's here with 5.6 because of the IPSEC (even in a test environment with clean installs IPSEC between 5.5U6 and 5.6U4 won't work)
How do you stop httpd on E-Smith chkconfig shows all off when its running.
I guess I could build a new 5.5 box and put it in front of the one I have now and Forward all the ports I need 25, 110, 80 so on Does portforwarding work on 5.5?
Title: Re: To DMZ or not
Post by: Terry Brummell on May 19, 2003, 08:11:52 PM
Admin server manager is run under admin-httpd (or something like that, port 980), not httpd.  But yes, you would lose webmail, and I'm not sure if user-manager uses httpd or admin-httpd.
Like I said, port forwarding works fine on 5.5, but if there is a service running on the port you wish to forward it must be stopped before the forwarding will work.

Terry
Title: Re: To DMZ or not
Post by: Greg on May 19, 2003, 08:20:51 PM
So what do you stop, all the httpd show off but something is running (confused).

httpd               0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd-admin     0:off   1:off   2:off   3:off   4:off   5:off   6:off
httpd-e-smith   0:off   1:off   2:off   3:off   4:off   5:off   6:off
Title: Re: To DMZ or not
Post by: Guck Puppy on May 19, 2003, 10:45:54 PM
You could always change the port that http is listening on as well.

http://www.familybrown.org/howtos/listen-port-howto.html

G
Title: Re: To DMZ or not
Post by: Greg on May 20, 2003, 12:04:04 AM
How close is http://www.familybrown.org/howtos/listen-port-howto.html
 to what I will see in 5.5 and 5.6 sence it's 5.1.2
Title: Re: To DMZ or not
Post by: Guck Puppy on May 20, 2003, 01:28:54 AM
The template in question still exists, it still references the same stuff, I'd say close enough.

Maybe Dan has some opinions on it?

G
Title: Re: To DMZ or not
Post by: Boris on May 20, 2003, 02:03:24 AM
I would give ProxyPass another try. Make sure you are using updated (by Abe Loveless) RPM. It works great for our Windows2000/IIS/ASP based pages behind SME main webserver.
Title: Re: To DMZ or not
Post by: Kelvin on May 20, 2003, 02:23:10 AM
Hi Greg,

>httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
>httpd-admin 0:off 1:off 2:off 3:off 4:off 5:off 6:off
>httpd-e-smith 0:off 1:off 2:off 3:off 4:off 5:off 6:off

SME Runs in runlevel 7, that's why it does not show up above.

Kelvin