Hi, I have a 3 subnet network PUBLIC/DMZ/PRIVATE all connected to a firewall. The private LAN has a DC running DNS/DHCP etc.I have a web site on the private LAN for local users. The private domain is suffixed '.local' I want to add a public web-site on the DMZ which will be suffixed '.com'. So I have a few questions: 1 - can I use an XP-pro install or does it have to be server? (allthough I guess I will need a dns server on the dmz so I guess I could just host it on that). 2 - Do I need a DNS server on the DMZ? 3 - Do I need to create a .COM domain also on the DMZ or do I get something from a web company. I dont quite understand how this bit works. 4 - I'm using NAT on my physical router, how does this affect things?

1- While you can run web services on XP, its going to be limited. The recommendation would be to run on a Server platform such as Windows server if you are going to host a production web site on your DMZ. 2- You do need an external accessible DNS server to be able to host a website. However, I would recommend that you use the DNS service through your ISP or domain registrar (Network Solutions, GoDaddy, etc...). They usually package the domain domain name and DNS management at no extra cost. With that deal, I do not think you can compete with them with regard to cost and stability. 3- you register the domain name with a registar such as Network solutions or GoDaddy. I am not necessarily recommending these two as there are many others out there. you need to shop around for prices. You can then point the domain name to your DNS servers, or simply let them host your DNs and you create records such as www, mail, ftp, etc... I would recommend that you let the registrar manage your DNS. 4- So you do not have public IPs on your DMZ? You can still use NAT. However, if you only have one public IP, you're limited to the number of services you can expose to the internet. For example, with one IP, you can only map port 80 back to one server in the DMZ. However, you can map other services (mail, ftp) to the same server or other servers. You will map back a public IP/Port number to a private IP/port number. High Level Overview: How to Host Your Own DNS and/or Webserver http://www.anitkb.com/2010/06/how-to-host-your-own-dns-andor.html Visit: anITKB.com, an IT Knowledge Base.

Hi, Thank you for your post here. JM has given the great answer. Something I would like to add: 1. Windows Client OS is always not recommanded if you want to host a business web services. Please take Windows Web Server 2008 R2 into consideration when you need a web server with lower infrastructure costs. Windows Web Server 2008 R2 http://www.microsoft.com/windowsserver2008/en/us/2008-web.aspx 4. It affects when you try to publish multiple web server in the furture. Without a application layer aware firewall (such as ISA/TMG server), mutiple web server publishing will be impossible if the router acts as the NAT router for DMZ network.

Thanks for the info and links JM and Miles. Very helpful. Cheers.

I'm still a bit confused... Here is a pic of the domain control panel for my domain name. In the dns manager for the '@' and 'www' I changed the ip adress to my public address (router) http://yfrog.com/n9image1koj here is a pic of my setup so you can see what i am talking about: http://yfrog.com/emkensoftvnet5j On my physical router I set port forward to 192.168.1.5 (NIC 1 on the rras router) On the NIC 1 in rras I setup portforward to port 80 on 192.168.2.6 (webserver) I installed dns on the web server and called it kshomenet.dmz but there is no domain on the dmz! Can you help me understand please? Cheers.

You have introduced some additional complexitiy in this design with the double NAT (NAT on the router and NAT on the RRAS server). You are going to have routing issues unless the router connected to the cable modem and the RRAS server share their local routes. For instance, if your cable router does not have the router for 192.168.2.x and 192.168.3.x you wont be able to deliver packets destnined to those networks coming from the internet. What was the need to install DNS on the webserver?Visit: anITKB.com, an IT Knowledge Base.

i was going to host dns because this is a learning excersise. But I will just use thedomain name providers dns until i understand better. there are 2 static routes for the .2 and .3 subnets on the physical router. The gateway is (192.168.1.5 rras NIC 1) Did i change the right thing on the domain name providers control panel?

Your DNS setup looks correct. I assume the items you "blacked-out" were IP addresses? If the IP you entered was your Public IP, then you should be OK. You can test DNS by using the NSLOOKUP tool on a computer outside of your network that is pointing to an ISP DNS server. Just verify that your domain.com, and www.domain.com are resolving correctly. To get the rest working correctly will depend if you indeed correctly set up your NAT port forwarding correctly AND internal LAN routing tables. If you want to host DNS on your network for that domain, then you'll have to go back to your provider and have them set up the appropriate delegation records. However, I would leave DNS with the provider. Visit: anITKB.com, an IT Knowledge Base.

ok thanks, i'll see how it goes. I might put the web server on the .1 subnet just to see if the double port forwarding is causing a problem. Cheers.

Well it works if i put the web server on the .1 (public) subnet. But it does not seem to work if i put it on the dmz. Even though there is a static route to the .2 subnet on the physical router. I tried just enabling a basic firewall (no nat) on the rras for NIC1 (192.168.1.5) and forwarding that to 192.168.2.5 (web server) Then I tried forwarding the port from NIC1 (192.168.1.5) to NIC2 (192.168.2.6), and again forwarding NIC2 (192.168.2.6) to 192.168.2.5 (web server), but that did not work either! Surely there are many instances where there is a physical router as the 1st internet facing device, which needs to forward ports to another router before it reaches a web service? Well I have a copy of ISA server 2006 which I am supposed to learn at some point. Will this be able to do it where simple rras cannot?

Well I got it working now:) The only thing I can think I did differently was I automatically assigned rras as dhcp for nat/firewall. I didnt do that before. Anyway sorted! Cheers.