How to force IE to use a specific NIC on a multi-homed server?

Hi all,

I have a Win 2003 file server with two NICs that I manage via remote
desktop.

NIC One is assigned a fixed, non-routable IP address (doesn't route
outside our organization), and is always enabled. This is for day to
day use as a file server.

NIC Two is assigned a standard IP address that can see and be seen on
the internet, and is almost always disabled. Occasionally I need to
connect to Windows Update or sync Software Update services. In this
case, I enable NIC Two temporarily.

The problem is that SUS, and to a lesser extent Windows Update, insist
on trying to get out on NIC One, which can't see the internet. I can
sometimes force Windows Update to use NIC Two by closing and reopening
Internet Explorer a couple times, but this technique doesn't work for
SUS synchronization.

Disabling NIC One while trying to run SUS Sync works allows SUS to
connect, but the second I do that, I lose my remote desktop
connection.

Is there any way to force IE to use NIC Two while NIC One is still
enabled?

Thanks,

Mike
..

"selowan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> NIC Two is assigned a standard IP address that can see and be seen on
> the internet, and is almost always disabled. Occasionally I need to
> connect to Windows Update or sync Software Update services. In this
> case, I enable NIC Two temporarily.

Won't work.

> The problem is that SUS, and to a lesser extent Windows Update, insist
> on trying to get out on NIC One, which can't see the internet. I can

It will always follow the path of the Default Gateway. There can only be
*ONE* Default Gateway on a machine.

You are using a flawed method. You need to run only one Nic and make sure
that a functioning path to the Internet is provided with the proper
restrictions and controls.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message news:<#(E-Mail Removed)>...
> "selowan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > NIC Two is assigned a standard IP address that can see and be seen on
> > the internet, and is almost always disabled. Occasionally I need to
> > connect to Windows Update or sync Software Update services. In this
> > case, I enable NIC Two temporarily.
>
> Won't work.
>
> > The problem is that SUS, and to a lesser extent Windows Update, insist
> > on trying to get out on NIC One, which can't see the internet. I can
>
> It will always follow the path of the Default Gateway. There can only be
> *ONE* Default Gateway on a machine.
>

Thanks for responding.

For whatever reason, this approach *has* worked for Windows Update,
but not for SUS.

> You are using a flawed method. You need to run only one Nic and make sure
> that a functioning path to the Internet is provided with the proper
> restrictions and controls.

Well, I'm willing. Any suggestions on how I might do that? IPSec?

"selowan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "Phillip Windell" <@.> wrote in message
news:<#(E-Mail Removed)>...
> For whatever reason, this approach *has* worked for Windows Update,
> but not for SUS.
>
> > You are using a flawed method. You need to run only one Nic and make
sure
> > that a functioning path to the Internet is provided with the proper
> > restrictions and controls.
>
> Well, I'm willing. Any suggestions on how I might do that? IPSec?

What kind of internet connection do you have? What kind of Device is
currently providing that connection? This is the Device that provides the
security and the control.

IPSec is not for the Internet, it is for the LAN where you have direct
control over machines at both ends of the connection.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message > What kind of internet connection do you have? What kind of Device is
> currently providing that connection? This is the Device that provides the
> security and the control.
>
> IPSec is not for the Internet, it is for the LAN where you have direct
> control over machines at both ends of the connection.


Hi Phillip,

The server is an Intel, rack mounted, on a corporate (school district
really) LAN. It's located in our machine room, some distance away,
which is why I need to be able to use remote desktop. All our
machines have a direct connection to the internet, there is no address
translation. We also use a series of internal addresses (172.10.x.x)
on that do not route outside the district. These are use for printers
and servers that do not need to access the internet.

I used a non routable address for the server because there is no need
for it to be seen from the internet, and only the rare need to connect
to the internet for Windows Updates and SUS.

Any security, firewall, filtering, etc., will need to be implemented
on the server.

BTW, I use IPsec filtering on a W2K web server in the same equipment
rack. It _does_ have a routable IP address and needs to be accessed
from the internet. However, due to the software used by the web
application to talk to it's database, it was bit of a bear determining
all the ports that needed to be open, but at least the IP addresses
involved are fixed.

I suspect using IPsec to solve the current problem would be a matter
of assigning the server a routable IP address, then creating rules to
allow communication to the Windows Update and SUS servers. However,
the issue with IPsec IIRC, is that even if you specify a domain name
in a rule, it is resolved at the time the rule is created, so if/when
the IP addresses for the Windows Update and SUS servers change in the
future, the rule would need to be updated.

Regarding the default gateway, IPCONFIG shows that the NIC with the
internal address has a non routable default gateway, 172.16.10.1,
while the NIC with the routable address has the standard external
default gateway. This is true with both NICS enabled.

My ideal solution would be to configure applications such as Internet
Explorer to use the NIC with the routable address, and simply behave
as if there were no connection when that NIC is disabled.

"selowan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> which is why I need to be able to use remote desktop. All our
> machines have a direct connection to the internet, there is no address
> translation. We also use a series of internal addresses (172.10.x.x)
> on that do not route outside the district. These are use for printers
> and servers that do not need to access the internet.

I think I am going to have to step aside. I cannot follow your design well
enough to help (not even close). I also am not comfortable at all with all
those machines being directly on the Internet and I don't want to get
involved in that. The Internet is such a horribly dangerous place today that
I just want no part of something setup that way. There are plenty of people
in this group who can probably step in a help with it,...we'll just have to
wait to see who wants to setp up to the plate with that.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com