Screamin Igel logo    
  Web Domain Forwarding in a Heterogeneous Environment  
 
 
 
The Problem   One hurdle we are occasionally presented with concerns the need to add web servers to a site that operates from a single IP address. This is frequently brought up by a Windows*-to-Linux conversion customer who is typically running a Windows* shop, or just a single Small Business Server. This is an especial concern, as most of these projects start off as a retrofit, and we need to keep the old Windows* servers running while new Linux servers are being added to the computing environment.
 
    The question boils down to: can a small business run a heterogeneous web server environment, and if so, how?
 
 
Microsoft Solution   Add Microsoft's Internet Security and Acceleration (ISA) Server to your network.
 
    This solution entails:
 
      - Purchasing a new, more powerful, server with Premium Small Business Server (SBS) 2003, as it is the cheapest Microsoft solution that offers ISA for SMBs (Small to Medium Businesses).
      * or *
      - Purchasing a new, more powerful, server with Windows* 2003, along with a copy of ISA 2004 installed on top of it.
 
    The need for Microsoft's ISA server is a result of their IIS web server not having any native proxy capabilities built into it. Both the feature set of ISA, and even moreso for the premium SBS, is overkill for the simple need to expose multiple web servers through a single IP port. Finally, this Microsoft solution requires three servers to provide the desired functionality; the original Microsoft server, the new Linux server and the Microsoft ISA server.
 
 
 
Artige Solution   Since we are already adding a Linux server to the intranet, we can use the Apache web server that is readily installed on Linux to handle the routing of requests for webpages to the appropriate web server located on the intranet. More than likely, Apache will already be installed as part of an Artige solution, such as that included with our ArMES real time system. In this scenario there are only two servers required; the old Windows* server and the new Linux server.
 
    Now the concern is, how much work is there to expose the web directories from the old Windows* server? Actually, it is quite simple. All that needs to be done is to edit the httpd.conf file on the Linux server, and make a pair of entries for every virtual directory that is located on the Windows* server. The entries look like this:
 
      ProxyPass /vdirectory1/   http://oldWindowsServer/vdirectory1/
      ProxyPassReverse /vdirectory1/   http://oldWindowsServer/vdirectory1/
 
    There are a few of things to keep in mind about using this approach. You should not have identical virtual directory names located on the local Apache web server as that is being routed to the old Windows* server. Also, anytime a directory is modified on the old Windows* server, the httpd.conf file would need to be reviewed. Finally, a high traffic web server (mega-thousand hits per hour) should be served on its own IP address, but you knew that already.
 
    This web domain forwarding method can be extended to additional servers running inside an intranet. One can even expose intranet web servers that are running on various port numbers as a normal port 80 HTTP web server, such as a Tomcat servlet system running on its default port 8080. The diagram below shows such a setup.
 
    Diagram of Apache web forwarding deployment
 
Side Note   What if the client is already running an ISA server?
 
    In the situation where the client already has an ISA server, then we can continue using the ISA server and add additional routing paths to the new Apache web server. This is definitely feasible for those instances where the client wishes to maintain the Microsoft* servers. One could even install Apache onto the ISA server itself. In the latter case the Apache server would need to use a different port number than 80.
 
    Of course, one should question the need to install Apache on an ISA server, or even allow IIS to operate on the same ISA server. ISA is being installed for reasons in addition to load controlling. The "S" stands for Security. This means the ISA server is public facing agent that will be first to see attacks on port 80. It is NOT a good idea to install any internal services on a public facing server, especially if it is a Microsoft* server. Experience has pointed out that most attacks are pointed specifically at IIS, Microsoft's* WebDAV and FrontPage extensions, none of which are required for an Apache server to operate. So out of experience we do not recommend placing Microsoft* servers in public facing roles.
 
 
    * - Windows is a trademark of the Microsoft Corporation.
 
 
    Return to articles page Navigate to home page
 
 
 

Valid XHTML 1.0! Valid CSS!

All rights reserved.   All site content copyright © 1997-2005 Artige Company     For more info... Legal      For more info... Privacy Policy
Last updated:
17-April-2005 03:50z