Unable to access subdomain that points to static IP from building 1

[fhvac]

Hello, I set up SBS 2003 server that has a static IP assgined by the ISP. We also have a website which we pay for hosting services. We have a subdomain on our website that points to the static IP of the SBS server. We cannot access the subdomain from the building.

When accessed from another location everything works, except the Company website link which points to

http://companyweb

which is understandable since were not on the same network as the server.

Why is the IP of the server inaccesible from inside the network?


If you would like to see please go to:

http://home.fhvac.org

You will also notice that

http://home.fhvac.org

changes to the IP address assigned by the ISP, how can I hide that?

Thanks

 

[TechSoEasyMVP]

Well, my first guess was going to be that your internal domain name was the same as your public one... but after reviewing your SSL certificate, I see that in fact you have named it correctly as fhvac.local.

So... why is this happening? It could be a couple of things, but in order to help you sort it out, please post a complete IPCONFIG /ALL from the server.

Thanks.

Jeff
TechSoEasy

 

[fhvac]

Cool, here is info

Windows IP Configuration

Host Name . . . . . . . . . . . . : juliet
Primary Dns Suffix . . . . . . . : fhvac.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : fhvac.local

Ethernet adapter Internet Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
Physical Address. . . . . . . . . : 00-16-EC-4C-22-4A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
Physical Address. . . . . . . . . : 00-0E-0C-B9-4A-BE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2


Also, how do I update the SSL Certificate?

Thank you much

 

[TechSoEasyMVP]

First, there's nothing wrong with your SSL certificate, but there certainly is with both your network configuration as well as the way your "subdomain" is set up.

For your SBS's Network Config:
You need to use a separate IP Subnet on your EXTERNAL NIC. This is why you're having the cross-over problems.

So, you'll need to change your router's LAN IP to something like 192.168.100.1, then change the settings on your External NIC to look like this:

IP Address. . . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled

If you have DHCP running on your router, turn that off to let SBS handle it. You'll need to follow the steps listed at the bottom of

http://sbsurl.com/dhcp

When all of that is done, run the Configure Email and Internet Connection Wizard (CEICW -- which is linked as Connect to the Internet in the Server Management Console > Internet and Email).

A visual how-to is here:

http://sbsurl.com/ceicw

and a full networking overview for SBS is at

http://sbsurl.com/msicw

When running the CEICW, you can skip the Secure Certificate screen to keep your current one, but don't skip any other sections by selecting "Do Not Configure".

For your External DNS configuration:
You really shouldn't have created a "subdomain" for this, but rather you need to add a HOST A record to your DNS Zone file.

So, log into your account at slcatacombnetworking.com and enter the Total DNS configuration area.

You'll need to add a HOST A record for 'home' pointing to 68.236.170.63.

At some point you may want your Exchange server to receive mail directly rather than using the POP3 Connector... that's fairly easy to do, and you would just need to add an MX Record to your DNS ZONE at slcatacombnetworking.com pointing to home.fhvac.org as well as asking Verizon to modify your Reverse DNS PTR record for 68.236.170.63 to fhvac.org.

Once all of this is done, your workstations should be fine as long as they are using DHCP for their network settings (recommended).

Jeff
TechSoEasy

 

[fhvac]

Thank you for your quick response.

I tried logging into sslcataombnetworking.com and supposedly it is affiliated with godaddy.com who I originally registered the domain name with. Upon accessing my godaddy account I see that I was unable to modify my Total DNS settings because fhvac.org is not hosted or parked with GoDaddy, it is parked with SiteFlip.com. I went to SiteFlip.com and requested a DNS Record Modification -> I requested an A and MX modification with the helpful information you provided me. They are going to charge me $5 for each :-/


On to the network and router:

My router setting is
192.168.16.1

My DNS Servers provided from Verizon DSL are:
DNS Primary server: 151.202.0.85
DNS Secondary server: 151.198.0.39

My current set up is:

DSL Modem -> wireless router (192.168.16.1) -> switch -> all workstations and the server. My server has 2 network cards with both network cards wired into the switch.

I suppose the router may be useless, but I really don't think I want all internet requests going through the server for fear of using up its resources.

I would like SBS to assign the DHCP IPs to the workstations which it does.
Basically I would like the router to act as a gateway. (If I am using the term correctly)
Are these concepts a correct way to setup my network?

When you make mention of my EXTERNAL network card, to which are you referring to? The Internet to Server connection?
I believe you may think my network is set up in the following way:
(Internet) DSL Modem -> router -> (External NIC) [SERVER](Internal NIC) -> switch -> workstations.
Then I would understand what you are saying.

Also as for modifying my Reverse DNS pointer, do you think Verizon may give me a hard time or charge me extra? You know how they are

Also as for the MX Records, if I create the MX record pointing to home.fhvac.org, will users of my network have their email associated with their AD username as user@home.fhvac.org or user@fhvac.org?
Preferably I would like the latter.

I have set up the POP3 Connector and it does work nicely although I am not thrilled on the minimum time it takes to retrieve new messages, 15 minutes...

Does my setup support a seperate subnet? Actually after all this I can somewhat visualize what you are trying to say and it is very interesting.

Some of these topics are a little new to me.
But you have been very helpful TechSoEasy.

 

[TechSoEasyMVP]

The problem iss that you shouldn't have both of your NICs wired into the switch... that doesn't do you any good.

Yes, I was assuming that your network was set up as you stated above... and that's really the better way to go.

There is an example of this at

http://sbsurl.com/twonics

You may also want to review

http://sbsurl.com/net101

for a good overview of how all these pieces fall into place.

So, no, your setup doesn't support a separate subnet unless you plug your External NIC into the Router.

I think you basically have a handle on it all. One thing to remember is that by having two NICs in your server, you are then running RRAS (Routing and Remote Access) which is essentially a router. Normally, two routers (your external one + RRAS) would be rather confusing to configure... but with SBS, running the CEICW takes care of everything for you.

Jeff
TechSoEasy

 

[fhvac]

Would this setup use the server for all internet requests, wouldn't that use to many resources?

 

[fhvac]

Why do I need to use the server as an intermediary for internet access? Why can't I just point the DNS and Gateway to the Router?

 

[TechSoEasyMVP]

Would this setup use the server for all internet requests, wouldn't that use to many resources?

No... that is the recommended configuration that SBS is designed to handle. TCP/IP requests take very little resources compared to the gains you would get in performance by configuring it the way it was designed.

Why do I need to use the server as an intermediary for internet access? Why can't I just point the DNS and Gateway to the Router

Because about 80% of all traffic on your LAN is between the clients and server for things that have little to do with the Internet. This traffic is almost entirely TCP/IP. DNS is tightly integrated with Active Directory, so your concept of SBS being an "intermediary" couldn't be farther from the reality of whats going on. By not configuring your SBS as the sole DNS provider, you would noticably decrease your network's overall performance.

Jeff
TechSoEasy

http://www.sbs2003.biz

 

[fhvac]

Well I set my network setup as such the one you suggested. My settins are:

Host Name . . . . . . . . . . . . : juliet
Primary Dns Suffix . . . . . . . : fhvac.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : fhvac.local

Ethernet adapter Internet Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Ethernet
NIC
Physical Address. . . . . . . . . : 00-16-EC-4C-22-4A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.16.2
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
Physical Address. . . . . . . . . : 00-0E-0C-B9-4A-BE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2


But I am still unable to access home.fhvac.org from the building. Any suggestions?

Also I called verizon and the made the reverse DNS PTR record 68.236.170.63 to home.fhvac.org, and the domain host changed the HOST A record and the MX entry to home.fhvac.org as well.

 

[TechSoEasyMVP]

It does look like the changes were made, but you have not properly configured your Exchange Server to receive mail. You need to run the CEICW again (as noted above) to set the proper things for your email configuration.

Also, make sure that port 25 is open on your router and pointed to your server (if your router is UPnP, then the CEICW will do this automatically.

FYI, these are the ports which need to be open to your SBS:
25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace

As for accessing

http://home.fhvac.org

from within your LAN, as I mentioned in my first comment, I would have thought that your internal domain was fhvac.org as well because this is usually the reason. However, since it's not, you'll have to provide the exact error message you are receiving.

I'd also note that if you have port 80 open and you are using the "Welcome to Small Business Server" default page, this is not a recommended configuration. This page is designed for internal use only. Remote users should only have access to Remote Web Workplace whith is at

https://home.fhvac.org/remote.

See http;//sbsurl.com/rww for more info

Jeff
TechSoEasy

 

[fhvac]

I forgot to open the ports on the router... oops, I am now able to access home.fhvac.org within the building. Thank you.

As for Exchange Server:
I did run CEICW and went through the settings as usual. How are you able to tell that I didn't set it up properly?
And what am I doing wrong?

I think I am using Welcome to SBS default page, can you confirm this when you go to

http://home.fhvac.org

?



Thanks a lot.

 

[fhvac]

Also would it be unwise of me to foward the range of all ports to the server?

The only reason I am asking is because it seems my router has a limited number of spots, and I fear that I will run out for future expansion.

 

[fhvac]

Actually, I think the Exchange server is working, I disabled the POP3 connector and I am still able to recieve mail.


However, say I wanted to set up my email account at home. I tried adding the account to my outlook software at home as a pop3 account and it doesnt seem to be able to login.

Thanks

 

[TechSoEasyMVP]

I did run CEICW and went through the settings as usual. How are you able to tell that I didn't set it up properly?

Because when I checked your domain at

http://mxtoolbox.com's

diagnostics, it failed. It's now working. You can also check it at

http://www.dnsreport.com

I take back what I said about your SSL certificate. You do have something wrong with it. When you ran the CEICW on the Certificate screen, you entered 'home.fhvac.local' in the box instead of 'home.fhvac.org'

(I can tell this by looking at the certificate when it pops up when trying to access your site)

CN = home.fhvac.local <<<---- should be home.fhvac.org
CN = companyweb
CN = juliet
CN = localhost
CN = juliet.fhvac.local

So, you need to rerun the wizard once again and change that.

When you run it, make sure that "Outlook via the Internet", "Outlook Web Access", and "Remote Web Workplace" in the Web Services Configuration screen are enabled. This will allow you to access your email from home or other remote places in a couple of different ways.

From home, you want to use Outlook 2003 configured with RPC over HTTPS (Not POP3 as you were trying because you don't have that enabled on your server and you don't want to). Instructions for configuring RPC over HTTPS are in your Remote Web Workplace (RWW) main menu. The instructions are customized for your particular setup.

For info on RWW, see

http://sbsurl.com/rww

(which I linked above by had a typo in).

You can also access email through Outlook Web Access by going to

https://home.fhvac.org/exchange.

I think I am using Welcome to SBS default page, can you confirm this when you go to

http://home.fhvac.org

Yes, you are... because that's what you see when you go to

http://home.fhvac.org.

You don't want that open to the Internet, so when running the CEICW do not select "Business Web site (

http://wwwroot)

on the Web Services Configuration screen, and do not have port 80 open on your router.

Also would it be unwise of me to foward the range of all ports to the server?

I think you already know the answer to this. YES it would be unwise of you to do that. What is the make/model of your router? Because I've never seen one that wouldn't allow six port forwarding entries (That's all you need, if there are others you can remove them).

Jeff
TechSoEasy

 

[fhvac]

Hello, thanks for your help, I fixed the SSL certificate and it works now.

But for the exchange server, it has seem to been working, I know if i send an email to a member of AD @fhvac.org that person will get it, and if they send a letter out, it will be sent. I see the tool trying to send a message from test@mxtoolbox.com to test@mxtookbox.com and it is failing. It states that it is unable to relay it. How should I fix this, although it doesnt seem to be not working for our accounts...

As for the router, well I'm using a cheap linksys wireless router, BEFW11S4, it does have room for 10 entries, not a lot but I guess thats not a problem with the number or ports that you listed for me to keep open.

However, I would like to keep port 80 open because I do occasionaly want to host something such as a picture and want to be able to access it from the internet without a problem.

As for the SBS default page, can I edit this page, or disable (or delete) it so I can write my own page. I would like to include links to, /remote, /exchange, and so fourth. I know people are gonna forget what the links are if they have to remember it, I already think its hard enough for them to remember home.+the place they have been volunteering for a while, lol.

Thank you for you help.
Mark

 

[TechSoEasyMVP]

The relaying test is something that you WANT to fail. You don't want your server to be open to relay... that means that someone from outside your network can use your server to send mail to others outside your network. ie, SPAMMERS.

The problem in the diagnostic test is actually Response Time. (The line with the red dot next to it).

So, I'd wonder what's causing that... and it could be your router having some wrong settings. Make sure it has the latest firmware. Check the Version number on the label at the bottom of the router and then download the latest from

http://www.linksys.com/downloads

Since you have a BEFW11S4, you should let SBS configure it... by enabling UPnP on it and then running the CEICW. You'll note that the ports will be configured in the UPnP Forwarding screen which has an additional 10 spots to forward.

If you do keep port 80 open, then I definitely suggest changing the default page to redirect to RWW. That way your users won't have to remember anything other than

http://home.fhvac.org

(they don't need to know about /exchange because OWA is part of RWW's main menu).

To create the redirect page, open notepad and copy and paste the following line:

<meta http-equiv="refresh" content="0;URL=/remote">

Save the document as index.html and place it in C:\Inetpub\

http://wwwroot\

Jeff
TechSoEasy

 

[fhvac]

I updated the firmware of the router, but I dont think that my server is supporting upnp connections, as CEICW doesnt recognize any devices. upnp is enabled in the router.

I also notice that at one point something may have recognized it, probably during a previous network structure (this particular router got around), i see upnp entries that point to IPs that dont exist on my network.

Any way to get SBS to recognize a upnp device?

Also the redirection was sucsessful. I had to make a few extra modification, ill post it for others to use in the future:
index.html should be index.htm, or add index.html as a default webpage type. and default.htm should be renamed to ~default.htm so that it wont default to it.

Thanks

 

[TechSoEasyMVP]

If you see those entries, then DEFINITELY reset the router to it's factory default.

I don't believe that it's SBS that's not recognizing it... what version is your router and what version firmware did you just install?

Yeah, you'll have to name it index.htm or add it ad a default webpage type. If you do that, then you don't need to rename default.htm, you can just move index.htm to the top of the list so it gets served first.

 

[fhvac]

My router is BEFW11S4 version 4.0, with Firmware Version: 1.52.02.