Comments on: NAT problem

By: yarddon

yarddon — Mon, 12 Sep 2005 16:43:15 +0000

Hi everyone,
Thanks for all those that replied. I have decided to close this subject as I feel I am going in circles.
a couple mentioned some solutions that I am going to try.
Thanks again to all who replied.
Regards
Robert

By: hedgehog

hedgehog — Thu, 08 Sep 2005 07:20:36 +0000

Hey Robert,

You’ve got a tough one there with those guys in networking… Have you tried asking the people who designed or sold you the application? Surely you’re not the only one using it, and it appears to me the setup you’re trying to achieve is not that uncommon (having different machines in DMZ would be more typical though)

What’s on the application logs and on the webserver logs? Any hints there?

I am pretty lost. If you can talk to the webserver externally and the app is on the same machine as the web server, it doesn’t make sense you can’t talk to the app. Just for the sake of trying out, can you install the application in a different machine, inside your LAN, and redirect the requests from the IIS server to the internal machine?

Sorry, man, but I can’t think of anything else right now…

Good luck

Hedgehog.

By: yarddon

yarddon — Wed, 07 Sep 2005 08:38:49 +0000

Hi Hedgehog,
Thanks for the followup.
In the Application I have to configure the IP address that the App will be communicating on and I create the certificate with that IP address. It’s my understanding if I assign the app with the external IP 198.x.x.x then I can communicate however then I lose the ability to communicate internally. I did not try your suggestion with the url, honestly I am not sure I understood it thoroughly.
I am told it can be done with networking/routing etc but I understand the networking guys are not sharing the knowledge(Politics).
HTH
Robert

By: hedgehog

hedgehog — Wed, 07 Sep 2005 06:18:04 +0000

Hi Robert,

Sorry I haven’t answered before; been away.

I am also confused about the app only allowing one single IP. Is this a licensing or a configuration issue? Can you NAT or proxy so that the app only sees the IP address of the NAT device or proxy?

Did you try the idea about changing the certificates?

If the webserver & the database are on same machine, that would rule out routing issues; unless the app is somehow set to allow only connections from “local” IP addresses (that would explain why your internal & VPN users can access it).

Any luck inspecting the webserver and/or database logs? What is the actual error reported?

Hope it helps,

Hedgehog.

By: ambrish

ambrish — Tue, 06 Sep 2005 05:49:11 +0000

first see what is the port no used by soap and also check the port no used by database if sql then 1433
if oracle then 1521 which u will map on the router

regards
ambrish

By: amigus

amigus — Thu, 01 Sep 2005 11:56:56 +0000

First of all I should point out that even if you had active directory my solution above would not work. I guess I should think before I write sometimes.

Unfortunately after reading your reply I think I’m not really understanding your problem or enough about the senerio. Your point about the application being tied to one IP confuses me. Can you give any more background on it?

By: yarddon

yarddon — Thu, 01 Sep 2005 02:09:24 +0000

Hi Amigus,
Thanks for the reply. This machine is not operating in active directory. I can access the machine from the intranet and also from the internet but only with a VPN. I am trying to eliminate the VPN as users can access this server from anywhere.
The problem is the software that is tied to the database only allows access from a single ip address. I was hoping someone knew if I could configure the network in such a way that I would not have a conflict.
HTH
Robert

By: amigus

amigus — Wed, 31 Aug 2005 12:48:13 +0000

It might be an authentication issue, more specifically a delegation issue.

Find the computer account in the active directory, open it up and check “Trust computer for delegation.”

If you’re concerned about security I’d take some time to learn about delegation and figure out how to allow delegation only for the database to minimize the risk noted by hedgehog.

By: yarddon

yarddon — Wed, 31 Aug 2005 08:12:34 +0000

Hedgehog,
Thanks for the reply. You are correct regarding ip address. Unfortunately, the DB and IIS both share the same machine and I do share your concerns regarding IIS. It’s only short lived though as I will be separating them soon. I may do what you suggest and place this IIS machine in a DMZ and see what happens.
Your certificate idea is interesting and I will investigate it some more.
I agree it could also be routing issues unfortunately I am not sure where to begin as the Networking guys think it’s not.
Regards
Robert