0

Assume I have two Windows servers (2012 R2) in the same network and domain. Server B has running IIS-6 with websites(on ports 80, 8080, and others). Both of them have enabled Firewall.
The problem is that I can't access server B websites by private address in the browser or powershell.
But the website is available from public network
and B responds to ICMP requests from ping

I've added firewall rules(outgoing for A, and incoming for B) but nothing has changed. I've spent a couple of hours discovering the reasons for this behavior. And I have no idea except, that Citrix(VM's provider) somehow blocks the connection.

Added: Servers have private DNS addresses(assume servera.local and serverb.local).
When I try to ping serverb.local it responds, and when I try to curl serverb.local it doesn't The same coolstory with the private IP address (10.211...)

At the same time I have serverc.local which (wow) has access to website even without the rule corresponding it its IP address.

Please ask anything, I will add more information if it will help

Grigory
  • 101
  • 2

1 Answers1

1

If server B is running "websites" (plural), almost certainly they will respond only when they are referenced by name - there has to be a name in the header to tell IIS which web site you're interested in. If you simply talk to an IIS server by IP, generally you'll get a default web site if there is one - there isn't always. So Zac67's suggestion in comments of split-brain DNS is actually appropriate. Or at the very least, edit \windows\system32\drivers\etc\hosts on server A so there are hosts records that link web address to server B's IP, then try again to connect by name from server A.

tsc_chazz
  • 905
  • 3
  • 14
  • The problem is not the IP and DNS address. I `ping serverb.local` and it answers. And when I try to `curl serverb.local` it doesn't respond anything. I have another server C, which can access website on server B. – Grigory May 28 '23 at 16:43
  • But do you have a web site that is named `serverb.local`? Oh, and the `.local` TLD is special and may not resolve, even locally. I'd create a site `serverb.lan` and try that instead. – tsc_chazz May 28 '23 at 20:59
  • serverb.local resolve without problems. I can ping him, but I can't access port 80 – Grigory May 29 '23 at 09:32
  • The question remains: is there a web site on `serverb` named `serverb.local`? In order for IIS to respond to a request for a web site, the `host header` in the request must match the name of a web site that it is hosting, and that means that you have to be making a request by name for a site that has that name. – tsc_chazz May 29 '23 at 14:34
  • Can IIS disable access to website by IP of the client? Because I have `serverc.local` which can access the website – Grigory May 30 '23 at 08:47
  • I am sorry that I cannot help further, but if you will not answer a simple question, there is little point my continuing. – tsc_chazz May 30 '23 at 14:23
  • I have site named ARR with https binding "server.local" on 443 port, and also HTTP binding without hostname on 80 port – Grigory May 31 '23 at 10:12
  • https binding `serverb.local` on 443 port and http binding without hostname on 80 port – Grigory May 31 '23 at 10:24
  • ARR has a lot of https bindings with `serverb.local` hostname on different ports. Other sites have friendly name (no hostname) and one http binding without hostname on different ports. – Grigory May 31 '23 at 10:28