Windows server 16 with a website

Tia Rojas 1

My windows server 16 has: IIS, DNS and active director

My local server is obama.local and I host a website call obama.work

The external clients can access the website without any problem

The internal clients can't access the website

I will need to configure DNS Forward Lookup zone but don't the details.
I configures the lookup zone with the following:

obama.work
Name = cpanel
Type= Host(a)
Data = <The external IP address>

This is all I have and is not working.
Can you please help me or give me a web page with information as what to do?

20 answers

Hypatia 1 Reputation point

2021-06-05T17:39:02.983+00:00

I was able to fix this problem.

My C:\Windows\System32\drivers\etc\Host file has the intranet IP and the domain name: 20.0.0.80 www.obama.com
IIS binds the internet port 443 to port 80

The problem was in the FortiGate router. I was not pointing to the correct certificate.

One I fixed FortiGate my intranet and internet and working with the correct ports.

Thank you for your help.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Hypatia 1 Reputation point

2021-06-01T18:56:39.467+00:00

@MotoX80 I only have on NIC on my server. I am looking at the IIS to understand what is going on
Please sign in to rate this answer.
MotoX80 32,326 Reputation points

2021-06-01T20:34:45.673+00:00

If you have an HTTPS site, the address that the user browses needs to match the certificate that you use and if you specify a host name in the binding then that also needs to match.

I can't speak to your VLAN setup, but if you have a client machine that's on 20.0.0.xxx, and you browse an internet based site at 170.165.123.93, if the web server that processes that site also has a second IP (on a single NIC ) on the 20.0.0.xxx network, then your server/router may decide to send the traffic back directly to 20.0.0.xxx address instead of going back out through the internet. I don't know what functionality your network can support. You might have to run a network trace.
Sign in to comment
Tia Rojas 1 Reputation point

2021-05-29T16:42:09.84+00:00

@MotoX80
I am getting errors on the 2 logs. This is a problem that I need to look close. This machine has one NIC and looks like I may need to configure for 2 NICs

Test-NetConnection www.obama.work -Port 443
WARNING: TCP connect to www.obama.com:443 failed

ComputerName : www.obama.work
RemoteAddress : 170.165.123.93
RemotePort : 443
InterfaceAlias : Ethernet 2
SourceAddress : 20.0.0.80
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False

is not working and I am getting errors in the logs
the HTTERR log:

Software: Microsoft HTTP API 2.0

Version: 1.0

Date: 2021-05-07 09:13:15

Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri streamid sc-status s-siteid s-reason s-queuename

2021-05-07 09:13:15 10.0.0.1 55256 20.0.0.80 443 HTTP/1.1 GET / - 404 - NotFound -
Please sign in to rate this answer.
MotoX80 32,326 Reputation points

2021-05-29T17:16:20.073+00:00

I am not a networking expert. All of the internet facing web servers that I have ever dealt with were sitting in a DMZ behind firewalls and content switches. The only IP's that were defined were for the DMZ subnet. Our security team did not allow a server sitting on our private network to be directly accessed from the internet. That was considered too high of a security risk.

https://www.bing.com/search?q=windows%20nic%20ip%202%20different%20networks

If you are getting a 404 in the HTTPERR log, then IIS likely doesn't know which web site to route the request to. Try removing the host name on the HTTPS/443 binding.
Sign in to comment
Tia Rojas 1 Reputation point

2021-05-29T15:06:50.98+00:00

@MotoX80 yes that is correct. and the IP address is not the one I use.
I am still fixing TLS 1.1 problems so I don't want to expose my server.
Please sign in to rate this answer.
MotoX80 32,326 Reputation points

2021-05-29T15:37:04.183+00:00

On an intranet machine, run Powershell and try to connect. Does the remoteaddress resolve to to the internal or external IP? Then try with the IP addresses.

PS C:\> Test-NetConnection www.obama.com -Port 443 ComputerName : www.obama.com RemoteAddress : 184.168.131.241 RemotePort : 443 InterfaceAlias : Wi-Fi SourceAddress : 192.168.1.80 TcpTestSucceeded : True

Then check your IIS log files and see if IIS sees the connections. Default location is C:\inetpub\logs\LogFiles

Also check your HTTP error logs. C:\Windows\System32\LogFiles\HTTPERR

Does RDP and SMB work from the internal machines?

MotoX80 32,326 Reputation points

2021-05-29T16:05:13.277+00:00

If you have 2 NIC's, it might be that Windows is getting the request on one NIC and trying to route the response using the second NIC.

https://www.webtrafficexchange.com/how-do-you-setup-dual-nic-multi-homed-host
https://directaccess.richardhicks.com/2013/06/19/network-interface-configuration-for-multihomed-windows-server-2012-directaccess-servers/
Sign in to comment
Tia Rojas 1 Reputation point

2021-05-29T14:36:48.6+00:00

@MotoX80 the problem is not that complicated to understand

This is part of my Windows server 2016:
IP 20.0.0.80 <-- is my intranet IP address and the hostname is obama.local (I don't have a certificate or a website on obama.local, Port 80 is not open to the internet)
IP 170.165.123.93 <-- is my external IP address and and has a certificate for website https://www.obama.com I have port 443 open to the internet

The internet can access https://www.obama.com without any problems
If I try to access www.obama.com or https://170.165.123.93:443 in the intranet I get an error: ERR_CONNECTION_RESET (This is the problem that I need to fix)

@ CandyLuo-MSFT told me "DNS entries just used to resolve domain name to an IP address. First make sure you can access the website by IP address in the LAN. If you are not able to access the website by IP, then this issue is not related with DNS resolution."

I need to resolve the LAN before I work with DNS.

Your suggestion of having 2 certificates. One assign to IP 170.165.123.93:443 and the other certificate assign to IP 20.0.0.80:80 may work?
Please sign in to rate this answer.
MotoX80 32,326 Reputation points

2021-05-29T15:00:38.7+00:00

Are you using the obama name to hide your real web site name? It does not resolve to 170.165.123.93.

PS C:\> nslookup www.obama.com Non-authoritative answer: Name: obama.com Address: 184.168.131.241 Aliases: www.obama.com PS C:\> nslookup 170.165.123.93 *** Wireless_Broadband_Router.home can't find 170.165.123.93: Non-existent domain

https://www.whois.com/whois/170.165.123.93

Cheong00 3,471 Reputation points

2021-05-31T01:31:50.283+00:00

It's common for some broadband routers to have problem when intranet users try to access public IP of the same router.

Split brain DNS deployment that DSPatrick suggested should solve your problem.

Just make sure in your "internal view", www.obama.com is resolved to 20.0.0.80 and your problem should go away.

Also make sure your IIS binding is like the following:

HTTPS 170.165.123.93 www.obama.com
HTTPS 20.0.0.80 <no need to assign host name for this record>

Hypatia 1 Reputation point

2021-06-01T19:09:48.74+00:00

@Cheong00 My IIS was not configured the way you suggested.

Are you suggesting that I have HTTPS 2 times assigned to different IP's?
Sign in to comment

Share via

Windows server 16 with a website

20 answers

Software: Microsoft HTTP API 2.0

Version: 1.0

Date: 2021-05-07 09:13:15

Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri streamid sc-status s-siteid s-reason s-queuename