Announcement

Collapse
No announcement yet.

Use private IP's in DMZ for InterWorx Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Use private IP's in DMZ for InterWorx Server

    Hi,
    If i remember correctly there was a requirement for InterWorx Servers to have directly a public IP assigned - just can't find that information anymore somehow so my question is, is it now also possible to host InterWorx Servers in a DMZ with private IP's which are NAT'ed from a public subnet?

    I've two InterWorx Servers running right now (Web, eMail, DNS) and want to move them into my DMZ behind a new firewall.

    Thanks,
    Thomas

  • #2
    Hi Thomas

    Good question, and the answer is YES

    You can use internal IP address(s) and set the external IP address to be assigned (see picture).

    This has long been a feature for many years. Infact, you can cluster IW servers using internal IP addresses which saves on bandwidth costs so you do not use external IP addresses.

    I would not advise DMZ, just simply open the required ports on the router/nat device and setup port forwarding between external IP and internal IP. DMZ would work though, it's just I prefer not to DMZ

    So, when you first install and setup network, you setup using internal IP address, load IW-CP, register and then login to nodeworx, server, ip manager, edit internal IP address, and complete the external IP address you will use (or have mapped to internal IP address).

    Please remember to remap internal IP address on outgoing at router or your natted device, so it uses the correct external IP address. Also, please ensure you have correctly setup RDNS/PTR on your external IP addresses.

    I hope that helps a little

    Many thanks

    John

    Comment


    • #3
      Hi John,

      My installation is already "some" years old so this feature might have been added afterwards.

      The topic with NAT to DMZ from technical side is no issue for me, i just want to cleanup my network design a bit and use already many systems behind firewall in DMZ, just the InterWorx Servers i'd to put directly on the net with their public IP's which made me a headache for several years (ok, my mistake that i didn't check if i can put it already in DMZ with private ip's since years :D ).

      As my installation is already running with public ip's, can i just add the private ip's, then remove the public ip's and will get this feature available to complete the external IP or do i've to start from scratch?

      Thanks,
      Thomas

      Comment


      • #4
        Hi Thomas

        Many thanks

        What IW version and distro are you using

        If you have an owned license, you could always pay the small amount to update to latest IW version. There are a lot new features such as multi PHP installation, Lets Encrypt etc...

        I think you would need to adjust your network settings on server first (note I do not know your setup so I could be entirely wrong sorry), which you would do from SSH, and su vi /etc/sysconfig/network-scripts/ifcfg-em1 (or whatever your network is called), changing the assigned IP address and gateway to your local LAN. Reboot and access by SSH again to make sure it is correct.

        Please only do the above if you have local access or another means of directly accessing your server should the above fail.

        You may need to change some more aspects, but initially the above should get you into a lan setup.

        You could add your internal IP address, but it would be secondary to main, eg em1 and em1:0, so you could not delete the main IP as this is set in ifcfg as descibed above.

        I would need to go through some of my test server to locate other areas that may need correctly, but is easy completed by a .pex from IW for changing IP addresses.

        However, please do not make any changes until we know what your distro and IW you are using.

        Many thanks

        John

        Comment


        • #5
          Hi John,
          I've a rent license and automatically update to the latest version always. Let's encrypt is already a feature i enjoy ;)

          So first i've to change the network on OS level, reboot and then add the public ip back through the webinterface.

          Distro i use some older CentOS (i think 6, not 100% sure right now) but as i should upgrade OS anyway too i might even just request two trial keys and make fresh installation with the new internal IP's and just migrate the webspaces / DNS from the existing installation to a complete new one.

          Thanks,
          THomas
          Last edited by Thomas; 06-09-2018, 06:59 AM.

          Comment


          • #6
            Hi Thomas

            Many thanks, glad your using latest veriosn IW and liking the features

            Centos 6 is still active and in general, the differences between centos 6 to 7 are, apache (2.3 v 2.4) and TLSv1.3 when it becomes main stream/available. (I read somewhere I am sure, that TLSv1.3 will not be back ported to Centos 6).

            I am sure there are many differences though between Centos 6/7, but the above are main features for myself and we have a mixture of Centos 6 and centos 7 servers.

            Yes, you just amend the NIC IP to internal as you stated for changing without migration, but migration to a new server is the route I would take (able to keep both servers live so no real downtime. I would change the DNS TTL to 3600 so it is quicker on a new IP if changing servers and also, setup a /chroot for new install, so it uses /chroot/home (synlink will be made auto for you as long as /home is not on its own partition).

            The reason for this is incase future, you would like to use the clustering aspects of IW-CP.

            Many thanks and good luck with which ever way you decide

            John

            Comment

            Working...
            X