Reject connection by machine name, accept connection by DNS alias

Discussion in 'Windows Networking' started by Scott Bass, Nov 18, 2008.

  1. Scott Bass

    Scott Bass Guest

    Hi,

    I have an esoteric problem - not sure the best approach, but here are my
    thoughts.

    This question has to do with disaster recovery operations and testing. Here
    is the scenario:

    Two machines:

    MachineName_dev
    MachineName_prd

    Two DNS aliases:

    DNSName_dev --> MachineName_dev
    DNSName_prd --> MachineName_prd

    During disaster testing (DR) and/or actual disaster operations, the PRD
    environment points to the DEV environment:

    MachineName_dev up as usual
    MachineName_prd down

    MachineName_prd --> points to MachineName_dev
    DNSName_prd --> points to MachineName_dev

    Two server processes:

    IIS supports a web based application (SAS Activity Based Management)
    Other TCP based application (SAS metadata server)

    OK, the questions.

    During DR, I don't want any inadvertent use of "DEV", as things are
    configured for PRD - ABM on DEV machine configured for replicated PRD
    backend database, SAS MDS on DEV machine configured for replicated PRD
    metadata repository. I don't want our end users doing things in the DR
    environment, thinking it's DEV, and messing up the PRD environment when
    reverting back to PRD configuration.

    I can manage the DNS connection requests by temporarily deleting the DEV
    alias. But I can't control direct connection by the DEV machine name.

    IIS - is there a way to reject incoming requests based on incoming server
    name, accepting http://MachineName_prd/whatever and
    http://DNSName_prd/whatever, but rejecting http://MachineName_dev/whatever
    and http://DNSName_dev/whatever. I'm thinking URLscan could be used here.

    All TCP connections - a better (?) approach may be to reject client
    connection requests by Machine_dev, but allow connection requests via
    DNSName. I can then shutdown all connection requests to DEV during DR.

    Of course, if I implement #2, I have to consider all scenarios, such as
    network drive mapping to these machines (public shares are used to access
    key directories on these machines). To do this, AFAIK we'd need to
    implement http://support.microsoft.com/kb/281308/en-us.

    Thanks for any advice you can provide.

    Regards,
    Scott

    P.S.: I'm not the network administrator, and know just enough to be
    dangerous. Any advice given I'll have to forward to our network admins for
    consideration.
     
    Scott Bass, Nov 18, 2008
    #1
    1. Advertisements

  2. Yes , you are right
    it is esoteric

    may be it helps inverting rd

    regards jk
     
    Juergen Kluth, Nov 18, 2008
    #2
    1. Advertisements

  3. Scott Bass

    Scott Bass Guest

    Thanks Juergen, not sure 1) what "inverting rd" means, or 2) if it was a
    serious reply.

    regards sb
     
    Scott Bass, Nov 20, 2008
    #3
  4. I don't think anyone is even going to understand the scenario you are trying
    to "paint".
    I know that is doesn't make any sense to me.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Nov 20, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.