Cannot access internal website

I''ve recently moved home (with small office) and an now on ADSL
rather than cable. My setup is as follows:

ADSL modem connects to LAN port of firewall router, which connects to
web server and a few other network devices. All fairly standard and all
works fine except I cannot access the web server internally to the
network when using either the external hostname (e.g mycompany.com) or
ip address (e.g. 123.456.789.10). I can only access it if I enter the
server name (e.g. mylocalserver) or ip address (e.g. 192.168.0.2.)

I've played about with the windows\system32\drivers\etc\hosts file
and added an entry for mycompany.com to point to 192.168.0.2 and this
solves the problem. However, for laptops that may or may not be
connected to the internal network it is annoying to have to edit this
file depending upon location. I know there is a solution to this, but
don't know what to do.

I'm a bit of a novice of this and have a basic knowledge of DHCP,
DNS, port forwarding and stuff like that, but not much more, so I'd
appreciate it if any replies were worded simply.

Toby

Well, connecting an ADSL modem to a 'LAN port of firewall router' is not
'fairly standard.'

In any event, you cannot connect to the public IP address of a web server
from the private network on which it resides. The usual solutions are:

1. The one you are using, or

2. Use a machine running a Windows Server OS to provide DHCP and DNS - on
this server you create a zone called mycompany.com with a host record called
www pointing its local IP.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I''ve recently moved home (with small office) and an now on ADSL
> rather than cable. My setup is as follows:
>
> ADSL modem connects to LAN port of firewall router, which connects to
> web server and a few other network devices. All fairly standard and all
> works fine except I cannot access the web server internally to the
> network when using either the external hostname (e.g mycompany.com) or
> ip address (e.g. 123.456.789.10). I can only access it if I enter the
> server name (e.g. mylocalserver) or ip address (e.g. 192.168.0.2.)
>
> I've played about with the windows\system32\drivers\etc\hosts file
> and added an entry for mycompany.com to point to 192.168.0.2 and this
> solves the problem. However, for laptops that may or may not be
> connected to the internal network it is annoying to have to edit this
> file depending upon location. I know there is a solution to this, but
> don't know what to do.
>
> I'm a bit of a novice of this and have a basic knowledge of DHCP,
> DNS, port forwarding and stuff like that, but not much more, so I'd
> appreciate it if any replies were worded simply.
>
> Toby
>

Sorry, meant to say ADSL connects to *WAN* port of router.

You say you cannot connect to the public IP address of a web server
from the private network on which it resides, but this was exactly what
I was doing before.

Windows SBS2003 is providing DHCP and DNS; they are turned off on the
router and modem. Do I still need to create a zone? I've no idea what
one is.

Toby

If you are running SBS, then you already have a DNS zone for your Active
directory domain - evidently, named something other than mydomain.com.

On the SBS machine open the DNS console and create a new Standard Primary
zone called mydomain.com:

http://support.microsoft.com/kb/308201/EN-US/

The advantage of this method is that mobile machines will only be directed
to the local IP when they are connected to the local network.

"You say you cannot connect to the public IP address of a web server from
the private network on which it resides, but this was exactly what I was
doing before." Really? You could do this from a local machine if it used
an Internet connection different from that used by local web server - eg.
web server uses an Internet router, but workstation uses a dialup modem for
Internet.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Sorry, meant to say ADSL connects to *WAN* port of router.
>
> You say you cannot connect to the public IP address of a web server
> from the private network on which it resides, but this was exactly what
> I was doing before.
>
> Windows SBS2003 is providing DHCP and DNS; they are turned off on the
> router and modem. Do I still need to create a zone? I've no idea what
> one is.
>
> Toby
>

I am sure that the setup I had before worked as follows:

If I pinged mycompany.com from outside of the n/w it would return
123.456.789.10 (or whatever)
If I pinged mycompany.com from inside of the n/w it would return
192.168.0.2 (my server)

Are you saying this is not possibel.

It is possible if I edit the hosts file, but this is not what I needed
to do before.

Thanks,
Toby

I am sure that the setup I had before worked as follows:

If I pinged mycompany.com from outside of the n/w it would return
123.456.789.10 (or whatever)
If I pinged mycompany.com from inside of the n/w it would return
192.168.0.2 (my server)

Are you saying this is not possible?

It is possible if I edit the hosts file, but this is not what I needed
to do before.

Thanks,
Toby

No - I am saying that if a machine is connected to the 192.168.0.x network,
it cannot connect to http://123.456.789.10.

If you edit the hosts file, you will connect to 192.168.0.2. It does not
matter that both addresses identify the same server. If this distinction
were not important, you would not be having this problem.

Another way to look at this is that your router will map the public IP to
192.168.0.2 only for packets it receives on its Internet interface. If a
machine is connected to the LAN side of the router, then packets are
received only on the LAN interface.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I am sure that the setup I had before worked as follows:
>
> If I pinged mycompany.com from outside of the n/w it would return
> 123.456.789.10 (or whatever)
> If I pinged mycompany.com from inside of the n/w it would return
> 192.168.0.2 (my server)
>
> Are you saying this is not possibel.
>
> It is possible if I edit the hosts file, but this is not what I needed
> to do before.
>
> Thanks,
> Toby
>

If your Active Directory domain were named mydomain.com, or you otherwise
had a forward lookup zone for mydomain.com on your DNS server, then you
could get this result without a hosts file.

Doug Sherman
MCSE, MCSA, MCP+I, MVP

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> I am sure that the setup I had before worked as follows:
>
> If I pinged mycompany.com from outside of the n/w it would return
> 123.456.789.10 (or whatever)
> If I pinged mycompany.com from inside of the n/w it would return
> 192.168.0.2 (my server)
>
> Are you saying this is not possible?
>
> It is possible if I edit the hosts file, but this is not what I needed
> to do before.
>
> Thanks,
> Toby
>

To add to Doug's comments. You cannot make a "u-turn" through a NAT Device
from the internal side. It creates a situation where the source MAC address
and the destination MAC address in the Layer2 portion of the packet are the
same address,...since Ethernet won't let it go to itself from itself the
thing just flips outs, shoots itself in the head and fails.

Therefore any internal destination (no matter what the name is) must
properly resolve to the internal private IP when the client is already on
the private side of the LAN. *How* you make it resolve is up to you, but a
properly configured DNS Server on the LAN is the best way and that, I
believe, is where Doug is trying to take you.

To lessen the confusion,...you should never make your AD FQDN the same as
you Public FQDN,...they are two different things that exist to two
completely different reasons and have totally different purposes,....your
AD/DNS handles the AD FQDN and the ISP's DNS is Authoritative for,...and
supposed to handle the Public FQDN and they should be different names.
But if you already made them the same then leave it alone, there are still
ways to make it work.


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------



<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> I am sure that the setup I had before worked as follows:
>
> If I pinged mycompany.com from outside of the n/w it would return
> 123.456.789.10 (or whatever)
> If I pinged mycompany.com from inside of the n/w it would return
> 192.168.0.2 (my server)
>
> Are you saying this is not possibel.
>
> It is possible if I edit the hosts file, but this is not what I needed
> to do before.
>
> Thanks,
> Toby
>

Doug / Phillip,

I've come to the conclusion that I don't really know what I'm doing
with SBS! I had it set up and working before pretty much as I wanted
(but not quite, e.g. I was using the pop mail connector for exchange
which I kept meaning to change.) The trouble is, I didn't take the time
to learn how to do it properly (I had no documentation and just
followed the wizards) and now things are not working quite as they
should don't know where to look to change stuff.

As the box it is all running on is quite ancient, I've decided I'm
going to dump it as there is a much newer box in the office gathering
dust. If I do rebuild my SBS I'm going to take my time, buy a good book
and learn what everything does.

However, right now I'm thinking of just installing XP Pro with IIS and
some backup s/w on the new box and using it as a simple file server.
Third party Exchange hosting (the only part of SBS that we really used
apart from IIS and the backup s/w) is just so cheap that it just makes
business sense to do so.

Thanks anyway,
Toby