0

I'm not sure if the title correctly describes the problem.

We have websites setup on our sbs 2008 machine that are publicly available via an external address and internally available via an internal address. The external addresses are different sub domains with a domain. Eg http://site1.domain.com and the internal address is http://site1.

Over the weekend the public addresses stopped working when viewed from inside our network but viewing them from a machine outside of our network works fine.

The internal addresses mapped to the same sites still work fine internally and obviously can't be resolved outside.

When i do a ns lookup or ping the addresses they resolve the correct ip address from inside our network. I've cleared the DNS cache, restarted the DNS server but they still don't load up.

I'm stuck what to try next. I'm not sure what has changed over the weekend, I certainly haven't done anything.

Charlie Bear
  • 211
  • 3
  • 4
  • 14

3 Answers3

1

So...

Internal clients can resolve http://site1 to INTERNAL_IP and the page loads. External clients can resolve http://site1.domain.com to EXTERNAL_IP and the page loads. Internal clients can resolve http://site1.domain.com to EXTERNAL_IP but the page does not load.

The above statements are the norm for most web servers. It sounds like what you want is...

Internal clients to resolve http://site1.domain.com to INTERNAL_IP.

This will allow your internal users to use the same URL as external users. To accomplish this, just add a record to internal DNS reflecting site1.domain.com to INTERNAL_IP.

Daniel Lucas
  • 1,192
  • 1
  • 14
  • 25
  • Otherwise known as split-horizon DNS (serving different information for the same name depending on where the request comes from). In this case you could configure the local DNS resolver with the internal IP and make it authoritative for the domain so internal users get the internal IPs for the same domain as external users access the sites with. – Justin Scott Oct 07 '09 at 02:50
  • the thing is that 1) it was working before without the need for an internal dns record for the full domain and 2) even if I do as you suggest it still doesn't work even though an ns lookup now resolves to the internal ip! what's going on? – Charlie Bear Oct 07 '09 at 09:01
  • firewall/networking issue. something might be blocking port 80 in the middle. – sybreon Oct 07 '09 at 10:01
  • Any tips on how to do this on Windows 2003 Server? I'm a developer and totally new to configuring DNS. – jpierson Feb 04 '10 at 23:22
0

Check your firewall/router. Chances are, that something has changed between your internal machines and the servers. Try pinging them and tracerouting them. If those work, maybe a router/firewall is blocking port 80 access in between. In a corporate environment, sometime the network admins make adjustments or install new switches without realising some of the new problems it causes.

sybreon
  • 7,405
  • 1
  • 21
  • 20
  • I've checked and there doesn't appear to be any changes to the router or firewall. Trace routing and pinging from inside the network resolves instantly but the sites don't load in a browser! – Charlie Bear Oct 06 '09 at 11:03
  • 1
    Just because you can ping the machines does not mean that you can connect to them if there is some firewall somewhere blocking certain ports. It could be a firewall on the server, on your machine or anywhere in between. Try `telnet serverip 80` to see if you can connect directly to that server from different stages in your network. – sybreon Oct 06 '09 at 13:11
  • Also, ensure that the webserver is actually running on the server of course. :) – sybreon Oct 06 '09 at 13:11
  • the web server is running. the internal addresses resovle and you can get to the external sites from outside the network – Charlie Bear Oct 06 '09 at 13:19
  • Yea, have you tried to `telnet serverip 80` to see if you can telnet it from your machine? If you can, then it might be a browser problem. Otherwise, it would be a networking problem. – sybreon Oct 06 '09 at 15:18
  • interestingly i can't telnet to it internally it just sits there for a long time then says could not open connection to host. Port 80 is obviously open as the sites work from outside the network and the client machines can see other sites. – Charlie Bear Oct 07 '09 at 09:06
  • assuming that you have specified an IP, then it is most likely a firewall/networking issue. – sybreon Oct 07 '09 at 10:01
  • the only firewall in the middle is the windows filewall on the server which allows port 80 - and it does for the remote workspace but not any of the other sites unless accessed outside. – Charlie Bear Oct 07 '09 at 15:54
  • check the firewall rules.. it might be allowing only external port 80 access and blocking local port 80 access.. it might be that your webserver is listening on only the external interface or the firewall is blocking the internal one.. – sybreon Oct 08 '09 at 00:24
  • in the windows fireawall on the server World Wide Web Services (HTTP Traffic-In) on port 80 is set to enabled on any remote address and any local address and for any profile. As i said it works for the remote workspace locally but not any other site. The hardware firewall we have is set to the same. Inboudn http on port 80 goes to the server and is allowed from any address. any idea how i can trace where it's getting stopped? I've tried networw monitor but can't see anything useful. – Charlie Bear Oct 08 '09 at 09:51
  • Trace it like tracing any other network problem - start by jacking in a laptop directly into the network of the server to see if it works. Maybe the network card is spoiled. Then, jack it into the first switch, then the next and so on so forth until you find a place where it stops working. – sybreon Oct 09 '09 at 00:32
-1

I suspect you need a Hair-Pin NAT on the firewall Happens a lot in our enviroment When I get problems

user183934
  • 1