IIS Home @ it-notebook.org

One external IP, multiple webservers

(Kristofer Gafvert, April 1, 2005)


A common scenario is that you have a public webserver behind a NAT router[1] (and probably also behind a firewall, and other devices). You have later found a need for a second webserver, and you place it behind the NAT router. The problem is however, how do you route the requests to the correct webserver?

NAT Router

We know that IIS can host multiple websites[2] on one server. IIS uses the IP, port and host header to distinguish between the websites. Can the NAT router use the same information? In general, no, it cannot. A NAT router usually works on the Network Layer, and maybe also Transport Layer, of the OSI model[3]. The host header is part of the HTTP header, which is in the Application Layer. So there is no way for the router to be able to read the host header, and take action based on the host header value.

I have not checked every NAT Router on the market, so there may be NAT routers that can read the host header. It is however not a router's task[4] to do that.

Data in packets

Multiple IPs or ports

The most simple solution to this problem is to use multiple external IPs. But it may cost additional money to buy a second IP. Another solution is to use two different external ports. This has the disadvantage that the user needs to specify a non-standard port when they browse the website. For example: http://www.gafvert.info:8080, if the second port used is port 8080. But both these solutions works without any additional hardware or software.

Reverse Proxy

Another solution is to use a reverse proxy[5]. A reverse proxy is similar to a forward proxy (commonly known as just proxy), but works on behalf of the webserver, instead of the client. It does not only solve the problem of having multiple webservers inside the NAT router, but it also adds an additional layer of defense (the webserver is not accessed directly, so the reverse proxy can filter out malicious requests), and can also cache static content (depending on how advanced the reverse proxy is).

A reverse proxy can either be a separate application, for example ISA Server[6] by Microsoft, or it can be implemented as an ISAPI filter in IIS (similar to the mod_proxy module[7] for Apache), for example ISAPI_Rewrite by Helicon Tech. Weather a separate application, or an ISAPI filter, is best, depends on the situation.

A reverse proxy may however not work (or be the most cost effective solution) in all situations. Imagine that SSL is used to protect parts, or the whole website. This means that the host header is encrypted when it gets to the reverse proxy, making it impossible to read the host header. The reverse proxy is in fact considered to be a "man-in-the-middle"[8]. There is of course a way around this. The SSL communication can be between the reverse proxy and the client (and not between the client and the webserver), and the communication between the reverse proxy and webserver is unencrypted (can be encrypted, but the communication is on the internal network which should be quite secure anyway). So if you need to use SSL, be sure you buy a reverse proxy that can do this, for example OctaGate Switch from Octagate.

Redirection in IIS is not the solution

A common misunderstanding is that the redirection feature in IIS can solve the problem with multiple webservers on the LAN. The redirection is however only a redirection. When a redirection takes place, IIS responds to the client with a 302 (Temporary Redirect) or 301 (Permanent Redirect) status code, instructing the client that the content has moved. The client then issues a new request to the new webserver. So, a redirection to on webserver 1, does not mean that webserver 1 will connect to the server with IP, it is the client (outside the internal network) that will try to connect to this IP (which will obviously fail).

Applies to [?]

IIS 6.0


[1] How Network Address Translation (NAT) Works
[2] HOW TO: Use Host Header Names to Configure Multiple Web Sites in Internet Information Services 6.0
[3] OSI Model
[4] Router
[5] Reverse Proxy
[6] ISA Server
[7] Apache module mod_proxy
[8] Man in the middle attack