1

(Full disclosure: I rate barely above "noob" when it comes to networking.) My workplace recent got a new web server. Since we're nearing the end of an overhaul of our website, we're doing a slooooow migration between the old web server and the new one.

The old webserver (we'll call it SERVOLD) is Windows Server 2008 with IIS 7. It does not have SQL Server installed. The new server (SERVNEW) is Windows Server 2008 R2, IIS 7.5, with the same version of SQL Server installed. Both are located in the DMZ for our network, and both have their own outward-facing IP address (.3 and .4, respectively).

Each server can communicate fine with computers within the domain (not in the DMZ), and those same computers have no trouble communicating with either server. Both servers are also accessible from the internet just fine. However, no matter what, these two servers just refuse to recognize each other. They have the same Workgroup name listed (WORKGROUP), and I thought that would be enough for them to recognize each other.

What needs to happen such that I can get these two servers to communicate with each other? We want to do a gradual roll-over to the new website (new one uses ASP.NET, old one uses CFMX), so being able to use one database between both servers is a necessity.

Thanks!

Updated Information

To be more precise, when I say they "can't communicate", I mean they can't do anything with regards to each other. No file sharing, no SQL communication. As mentioned, both have outward facing IPs, and I can't even access their respective sites within the browser.

When I try to access a shared folder, I get error code 0x80004005 (Unspecified error) (not that helpful).

When I try to ping, I time out. However, if I do ping [servername], it does attempt to ping the correct IP address.

Kodithic
  • 21
  • 1
  • 6
  • 1
    Explain what you mean when you say that they can't communicate. They can't ping each other? You can't connect to the web site on one from the other? You can't connect to SQL Server on one from the other? Saying that they can't communicate with each other is like saying that my car doesn't work and asking you to diagnose it for me. – joeqwerty Nov 24 '12 at 03:00
  • Sorry, I should have explained further. When I mean "no communication", I mean they can't do a single thing with regards to each other. One might as well be in different dimensions as far as the other is concerned. No SQL connection, no file sharing, no ping. Both have a static, internet-facing IP (starting 172.). I can successfully ping both from within my network. – Kodithic Nov 26 '12 at 17:17
  • I should add that if I do "ping [servername]", it does try to ping the correct IP address. A firewall issue, perhaps? – Kodithic Nov 26 '12 at 17:24
  • That's just your DNS properly resolving the name before it pings it. – Safado Nov 26 '12 at 18:03
  • "Each server can communicate fine with computers within the domain (not in the DMZ)" -- Isn't the point of the DMZ to get them out of your local network? I know this isn't directly related to what your question is, but I always thought the point of a DMZ was allow devices from behind the firewall to be available to outside networks, but at the same time, blocking their ability to access the internal network. That way if they get compromised, they can't access your internal machines. – Safado Nov 26 '12 at 18:07
  • 1
    Some information that would help: How are the NICs configured (i.e. netmask) and what's the topology of the dmz (do they each connect to a switch and then to the firewall, or are they both directly connected to the firewall), have you tried running wireshark on each server to watch the traffic coming in and going out as your testing? Have you tried disabling windows firewall temporarily to see if it's the problem? – Safado Nov 26 '12 at 18:17
  • My understanding of the DMZ (again, I have very little networking experience) is that it's intended to allow more access to the machines within it than you'd want for your normal machines; the servers themselves have access to folders on the network, so if the point of a DMZ is to cut off all access to the internal network, we've failed in that regard. – Kodithic Nov 26 '12 at 18:18
  • Well, the level off access depends on the business need. You don't necessarily need to cut off all access, but you have to keep in mind that any access you ALLOW will also be available to the hacker that compromised your web facing server. – Safado Nov 26 '12 at 18:23
  • Ah, okay. I have so much to learn; my work has been in web/db dev and I've never had to worry about this kind of stuff, so this is a new hat for me to wear. Anyway, I'll try to gather that info you asked for. Windows Firewall is disabled on both servers, as we have a firewall between them and the internet that blocks as necessary (which I believe may be where the issue lies; could it block them from accessing each other?) The old server is physical, the new one is VMware, but I'm not sure on the topology. – Kodithic Nov 26 '12 at 18:38
  • Our firewall is apparently managed by a third-party guy and the new server is in another building, so I don't have access to check the settings nor get proper topology. I _do_ have an ASA config file; I don't know how much that will help, but I uploaded it to [link]http://pastebin.com/1rG4p3hP Both computers have static IP and DNS server set up; one thing I notice, though, is that the subnet mask for the old server is 255.255.255.0, while the new one is 255.255.255.255. Could that cause the issue? If the subnet mask is a moot point then I can try running wireshark. – Kodithic Nov 26 '12 at 19:10
  • @Safado, the difference in subnet masks was indeed the problem. If you want to create an answer that says as such, I'll mark it answered. Your help led me to the resolution, so I want to make sure you get the credit. If not, I'll answer my own question. – Kodithic Nov 26 '12 at 19:29
  • I'm not worried about it. It'd be more constructive if you just wrote up the solution and marked it as the answer. Glad it got fixed. – Safado Nov 26 '12 at 20:02

1 Answers1

1

Problem resolved. The two servers had static IP and DNS configurations, but the Subnet mask was different. First (old) server had 255.255.255.0, second (new) server had 255.255.255.255. Probably an oversight by the guy that did the initial server setup and installation before handing it over to us.

As soon as I changed the new server to use the same mask as the old one, everything worked dandy.

Special thanks to Safado for their assistance, which led to the resolution.

Kodithic
  • 21
  • 1
  • 6