Windows Integrated Authentication

Re: Windows Integrated Authentication

Postby Code Crafters » Mon Jan 28, 2008 10:57 am

We may add a .NET version of WebMail in a future major version but not version 3. You're right that if the customer already has .NET installed they don't have to download it. We'll probably make 2 versions available if we add a .NET version anyway which obviously has extra work involved.

For now you can achieve what you need by simply binding Ability Mail Server's WebMail and IIS to port 80 on 2 different IPs on the same computer (either 2 network cards or 2 NICs on the same network card) and use IIS host headers to redirect appropriate domains to Ability Mail Server as discussed earlier in this forum post.

Also, see the quote below from ealier in this post about how to get around the IIS port binding bug.
jazzy wrote:After beating my brains out over this, there is another way:

http://support.microsoft.com/kb/813368/EN-US/

Do httpcfg set iplisten -i xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is the IP you want IIS to use. Don't add Ability Mail Server's IP address to the list. (IIS will bind to all the IPs you supply through that command.)Then restart everything!
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Windows Integrated Authentication

Postby m1byo » Mon Jan 28, 2008 11:15 am

The only limitation to this solution is if the server is behind a NAT firewall, then port 80 can only be forwarded to one IP (i.e. IIS or AMS!)


Ian
m1byo
 
Posts: 164
Joined: Fri Sep 21, 2007 2:36 pm
Location: UK

Re: Windows Integrated Authentication

Postby Code Crafters » Tue Jan 29, 2008 11:26 am

You can forward all Internet traffic on port 80 to the IIS IP and it can forward appropriate domains to AMS using its host headers options.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Windows Integrated Authentication

Postby m1byo » Tue Jan 29, 2008 5:40 pm

How can we do that? I was under the impression to do that you would need a reverse proxy to allow for the information to be passed back through IIS again also!

maybe (more likely probably) I am wrong, but if this is the case it would solve a lot of headache for me!

Thanks very much

Ian
m1byo
 
Posts: 164
Joined: Fri Sep 21, 2007 2:36 pm
Location: UK

Re: Windows Integrated Authentication

Postby Code Crafters » Wed Jan 30, 2008 11:22 am

I haven't personally set up this scenario but many other customers have forwarded all mail traffic to IIS on port 80 then used host headers to redirect certain domains to Ability Mail Server on a different IP, port 80. The only other way would be if your router or other intermediate software could catch traffic on port 80 and forward to the appropriate IP based on the domain being accessed which I don't think many do so the host headers is the best way which has worked for other customers so far and is what I recommend you try.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Windows Integrated Authentication

Postby Pugglewuggle » Mon Feb 04, 2008 8:55 pm

Hi Everybody,

Chris is right. We have 60 sites on our IIS 6 server running only on host headers and port 80. In fact, the server is behind a NAT'd firewall - we forward all traffic from port 80 on that particular public IP address to the server and IIS decides which site to send out. Reverse proxy is not necessary.

Regarding hosting a website (or several) AND AMS Webmail (using the integrated server) on port 80, you will need AT LEAST 2 public IP addresses - one for all the others sites running on IIS and one just for AMS. If you're running Windows Server (not a client version) you can bind multiple IP addresses to one NIC. Just do this and have IIS run off one IP and have AMS run off the other.

Boom! You've now got IIS websites (using host headers) and AMS Webmail on port 80!

It would, however be *FANTASTIC* if Code Crafters gave AMS an IIS webmail frontend...

The best (and most simple) way to do it is just to get multiple public IPs if you can... some ISPs won't allow home accounts to have more than one public static IP so you might need a business account.

Cheers! :D
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: Windows Integrated Authentication

Postby Code Crafters » Tue Feb 05, 2008 10:46 am

Thanks for the feedback Pugglewuggle. But isn't it possible with a single externally viewable (Internet) IP and 2 internal LAN IPs to have IIS receive all external port 80 traffic and by using host headers forward appropriate domains to AMS to deal with directly rather than needing 2 public IPs? I'm sure I've heard of people doing that. You can also host normal non-scripted websites on AMS directly too if that's adequate for your needs. We will try to add a .NET front end for WebMail in the future when we can but this is quite a large project so I can't promise anything anytime soon.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Windows Integrated Authentication

Postby Pugglewuggle » Tue Feb 05, 2008 6:27 pm

I definitely understand on the .NET webmail... .NET can be a pain but it sure is worth it when we use it to develop apps for large scale deployments due to the automatic compilation and caching of the code so it doesn't have to execute the whole script EVERY TIME. That significanly reduces server load.

chris wrote:But isn't it possible with a single externally viewable (Internet) IP and 2 internal LAN IPs to have IIS receive all external port 80 traffic and by using host headers forward appropriate domains to AMS to deal with directly rather than needing 2 public IPs? I'm sure I've heard of people doing that.


As for using the single external IP address to host both AMS Webmail and IIS sites on the same port, it's not possible (to my knowledge... and if it is, it can't be simple). We actually tried that before when we were trying to consolidate IP address usage. It doesn't work.

What it boils down to is that your traffic coming from the internet on 1 IP address/port can only go to one place. You can't have 2 "active" services (meaning ones that both send and recieve data) listening to the same port or you get REALLY screwed up results. You can have 1 "active" service and x number of "passive" services (meaning one that actually serves data and another that, say, records logs and is pass-through) on the same port as far as I know.

My guess is that the reports you've heard of it working (which it might, sometimes - and not others) have it implemented like this... which is not a viable solution.

We use all Cisco equipment for our networks, so I assume we would have found an alternative if it were possible (as enterprise class equipment gives you MUCH more flexibility as far as advanced configurations, etc. go).

Another possibility (if an ugly URL doesn't matter) is that if you're running a Server version of Windows, just setup multiple IIS sites that contain the host headers for the domains you use and have them redirect to the domain/port number. This way, you can use 1 public IP for everything (although AMS and IIS would still be on different ports). This should preserve the host header for AMS and allow you to access Webmail without having the user actually type http://webmail.mydomain.com:8000 in the address bar (as long as you have the IIS site setup with the host header webmail.mydomain.com.

That's how we did it for a while. Average users just freak out when the see the :8000 at the end of a URL, if you know what I mean.

Cheers!
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: Windows Integrated Authentication

Postby Code Crafters » Wed Feb 06, 2008 11:14 am

Thanks again for all your feedback. We host our site at a different location to our Ability Mail Server so obviously this isn't a problem for us. I still wouldn't be supprised if there is some simple routing software out there that could receive incoming connections for HTTP and route the connection based on the domain used in the HTTP request but whatever way you look at it there is no ideal solution other than 2 external Internet IPs. We will try to build a .NET version of WebMail into a future release as this is obviously a valuable assett to the software.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: Windows Integrated Authentication

Postby Jodrik » Tue Nov 18, 2008 9:43 am

A rather novel solution to this problem is simply to create a page in IIS that uses something trivial like a frame or iframe that opens your webmail on another port in a 100% width and height mode. A bit crude but it get's the job done.
Jodrik
 
Posts: 40
Joined: Wed Sep 19, 2007 8:39 am
Location: Netherlands

Previous

Return to Suggestions

Who is online

Users browsing this forum: No registered users and 5 guests

cron