Windows Server - Resolving External IP address Internally
Asked By -Draino- on 05-May-10 10:10 PM
When I access my server from outside my LAN I use something like
When I access my serer from inside my LAN I use something like
I want to be able to access http://22.214.171.124/page.html from
INSIDE my LAN but I cannot. I have added a forward lookup A record in
DNS but it still does not work.
What do I need to do?
Larry Struckmeyer[SBS-MVP] replied to -Draino- on 05-May-10 10:30 PM
Please post the resolution to your
issue so others may benefit
Get Your SBS Health Check at
Cliff Galiher - MVP replied to -Draino- on 06-May-10 12:00 AM
There are a couple of things worth mentioning here:
1) the "page.html" has me very nervous. You should NOT be hosting web
content on your SBS server. Just need to mention that.
2) A direct IP address (126.96.36.199) will cause the machine you are
testing from to try to contact that IP directly. It will not go to DNS
therefore your DNS record is doing nothing. This is expected behavior. If
you could not access the IP address before, you probably will not now.
3) The problem likely lies with your router. Many routers do not do
loopback connections. In other words, it expects connections to the public
IP only from the external interface. It will ignore and drop traffic to the
public IP from the internal interfaces, thus when you are attempting to
access your machine with a public IP from within your LAN, the public IP is
causing the local machine to contact the default gateway (your router) and
your router is not forwarding that traffic back to your SBS machine. This
is not an SBS issue, but a router issue. To resolve it, you will need to refer
to your router documentation or contact their support staff. Each router is
-Draino- replied to Cliff Galiher - MVP on 06-May-10 02:49 AM
We host a web application on our SBS2003 server. it is a package
tracking app that the drivers log into for real time package tracking.
it is not really "page.html" but it is a software app from Xcelerator
that our Mobile-Tek handheld devices dial into. We use a "Dock
Scanner" in the early AM to scan the load and all the packages go into
the Xcelerator program. As the drivers scan their packages for loading
they come off the database to show they are on the truck. When they
are delivered the handhelds send that info to the server to show the
package has been delivered. Something like UPS or FedEx.
Our server has an IP address of 192.168.16.2 the router is
192.168.16.1. All our workstation use the SBS server for DNS. So all
internal address get resolved using something like
http://servername/Xcelerator/Mobile/..... what ever, to access the
Xcelerator program. Outside the handhelds use http://188.8.131.52/Xcelera=
So I guess this is a router issue, I was just wondering if there was a
way to resolve it differently when accessing Xcelerator internally.
Brian Cryer replied to Cliff Galiher - MVP on 06-May-10 04:51 AM
It opens the possibility of security issues and I would not recommend it for
anything busy, but I would not go so far as to say should not host. Just be
careful and ensure you know what you are doing.
Brian Cryer replied to -Draino- on 06-May-10 05:01 AM
No its not a router issue, its how you have set it up. You said that (quote):
There is your problem. You are using your IP address. If you use an explicit
IP address then the same address will not work both internally and externally.
Use a DNS name instead and point that to your public ip address. I'd suggest
either creating a sub-domain of your main domain-name just for that purpose,
but the choise is yours. You can then re-map that name internally to point
to your server allowing you to use the same name both internally and
-Draino- replied to Brian Cryer on 06-May-10 08:27 AM
Brian Cryer replied to -Draino- on 06-May-10 09:25 AM
There are two parts to it: 1. setting up an external DNS name and 2.
redefining the same name internally.
1. Setting up an external DNS name. Assuming you have a company website and
you want to set up a sub-domain name which will be used for your application
to point to your website, then you will need to edit the DNS settings
assocaited with your domain name. How you do this will depend on the domain
name registrar you use, but somewhere there will be a control panel which
will let you configure DNS settings. You need to create a new "A Record"
which points to your IP address. Remember that it can take hours or even the
best part of a day for a change to filter through to clients. So try
something, but if it is not right first time then expect to have to wait for
the update to take effect. Remember that this will only affect the name
visible to people external to your network.
2. Redefining the internal DNS name is much easier. Under Administrative
tools you should find "DNS". Start that, and under "Forward Lookup Zones"
create a new zone for the full dns name and a new A-record under that to
point to your server's internal ip address OR a C-record which names your
server (the latter is possibly better). If you already have an entry for
your main domain name then just create a record under that for your new
sub-domain. Remember that this will only affect the name visible internally
to your network.
I know this is a bit sketchy, but hopefully it will give you enough to go
Gregg Hill replied to Brian Cryer on 06-May-10 11:24 AM
You stated that, "If you use an explicit IP address then the same address
will not work both internally and externally." That is because his router is
not set up for loopback or will not do loopback at all.
Your workaround to have a DNS name mapped differently internally than
externally is precisely a router issue.
My WatchGuard firewall does loopback, and I can hit my mail server from
inside or outside using the public FQDN or its public IP address, with zero
internal DNS modifications.
If he has a router with loopback working, he will be able to use
http://184.108.40.206/Xcelerator/Mobile/whatever both externally and
internally, and if he sets up public DNS pointing to that address, it will
work the same inside and outside without internal DNS changes.
Brian Cryer replied to Gregg Hill on 06-May-10 11:33 AM
I wish my router supported that as it would save me a lot of time. Certainly
if the OP's router supports it then I agree that that would be an easy fix
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Gregg Hill replied to Brian Cryer on 06-May-10 11:46 AM
Regarding your "top-posting" tag line, I find it more annoying to read a
conversation, then scroll to the bottom to read the next comment, then
scroll to the bottom to read the next comment, then scroll to the bottom to
read the next comment, then scroll to the bottom to read the next comment,
and on and on. It is FAR easier for me to read a reply that is at the top,
as I already have in memory the initial post and subsequent replies.
That should set off the Usenet police!
James Hurrell replied to Gregg Hill on 06-May-10 11:53 AM
Gregg Hill replied to James Hurrell on 06-May-10 11:56 AM
Now THAT was funny!
You clever boy!
Gregg Hill replied to James Hurrell on 06-May-10 12:03 PM
I also have Outlook 2007 set to have mail in the Inbox sorted with newest at
the top. I feel like such a criminal!
Joe replied to Brian Cryer on 06-May-10 01:07 PM
it is an arbitrary decision on the part of the manufacturer, and it is not
normally configurable. I currently have a Vigor 2800 which allows it, my
previous routers did not. I have never yet seen any router documentation
about it, and I cannot see any way to find out whether it works other
than by trying it or knowing someone who already has. It may even differ
in different firmware versions.
Unfortunately, there is a wide range of minor details about hardware
which never find their way into brochures or reviews. There is another
thread around at the moment about router EDNS handling, and VPN tunnels
are another favourite topic.
Cliff Galiher - MVP replied to Brian Cryer on 06-May-10 03:40 PM
Licensing gets sketchy with hosting as well. I believe that if there is a
business need to host a web app internaly then the business is big enough to
afford a separate non-domain-controller server. Windows Server Web Edition
is not expensive.
Cliff Galiher - MVP replied to Brian Cryer on 06-May-10 03:42 PM
Yes, it *is* a router issue. You can work around a router issue by using
DNS and creating a split-brain scenario (where the name resolved to two
different IPs depending on which DNS is asked) but the fact that you get two
different results only amplifies and highlights the fact that you are
working around a router limitation.
Don't get me wrong, I have had to use split-brain DNS in many places, but it
does not make it "right" and does not mean the router is not at issue.
-Draino- replied to Gregg Hill on 07-May-10 06:42 AM
220.127.116.11/Xcelerator/Mobile/whateverboth externally and
Brian Cryer replied to Cliff Galiher - MVP on 10-May-10 04:20 AM
Licensing is an interesting question.
Whether its worth having a separate server for web hosting probably depends
on what you are doing. Many SBS systems happily host websites on their SBS
server and indeed I think its a standard out-of-the-box configuration. After
all, outlook web access is a web application and I think we'd have problems
trying to run that on a separate server.
However, I do agree with you in principle. Of the two sites I look after,
one hosts on a separate box the other only has a test site on it (no real
traffic) and is hosted on SBS.