2

Every now and then my company will will do some intergration with a 3rd party, e.g. calling a webservice from our shared IIS webservers in e.g. some ASP page for instance.

Where these intergrations have to be IP white-listed at the other end, often the applications (or in my opinion the developers/sysadmins) are poor and will only accept a single IP to white list connection attempts from, rather than allowing our company's subnet access.

Since my webservers have multiple ips (different SSL certs etc) the primary IP of the server often has nothing to do with the site intergration in question.

As a result we now have various intergrations which can fall apart if the server were to be slightly reconfigured due to this arbitary sharing of primary IPs.

Is my request to allow entire subnets access for external services unreasonable?

Is there a way to work around the fact that servers calls services based on their primary IP rather than any other IP?

4 Answers4

1

NAT rules (assuming you are using NAT here) might help, depending on your configuration. You could designate a public IP for webserver-vendor communication, then setup NAT so that all outgoing traffic from your webservers use that public IP as their translation.

There's a lot of gotchas here obviously, but based on what you've written this could work.

I.T. Support
  • 601
  • 2
  • 11
  • 27
0

Run those services through a proxy and have the proxy server whitelisted.

karmawhore
  • 3,865
  • 18
  • 9
  • I think this is overkill as would require a separate machine per webservice in my network. –  Jul 02 '10 at 16:54
0

I can certainly assign an IP for this communication, what and where would I have to do stuff to force the intergration to use it rather than the default primary webserver IP though?

Bear in mind the server already has ANOTHER service which requires a specific IP for external communication which are unfortunaty now shared. (two unrelated websites have to share the same webserver indefinately now!) and that's what I want to move away from.

0

It would be helpful if we could get a description of how the network looks. Are the webservers on a DMZ behind firewall, w/o firewall directly on the public ip range? does the host use multiple physical interfaces or just lots of ip-addresses on the same nic?

if you use multiple physical/virtual network interfaces you should be able to put a static route in the windows routeing table, eg. route add mask 255.255.255.255 metric 1 IF

netsh interface ipv4 show interfaces will show you the interface ID's

MrTimpi
  • 445
  • 4
  • 11