Can't connect to NT 6/SecWin 6 app

[jking]

Bruce,

     First, welcome back! 
     I have a NT 6/Secwin 6 app that I cannot connect to.  On my office network, if I load the server then try another machine on the same local network, I can connect and successfully and run the web app.  However, when I move this same app out to the host server, which is a completely different network, I find I cannot connect.  Currently this app is set to run on port 80.  There is nothing else running on port 80 on the host server, but I changed the port to 8080 and still no success.  The host server has two IP's assigned to the NIC.  Even when I bind the app to a specific IP, I cannot connect to it.  Any suggestions?

Thanks,

Jeff

[jking]

Bruce,

     I tried the web6 and web9 SSL demo apps on my host server and get the same issue:  basically when I try port 443, I get a message about the certificate not being trusted (my app and yours use a sefl-signed cert) then a message that IE could not dispay the web page.  Same in FireFox.
     Our network guy assures me the router is configured properly and he feels it is an app problem.  Previously I have had some success running a secure app on a non-standard port.  There are no other apps running on 443 for this particular IP address.  I'm stumped.

Jeff

[Bruce]

Usually the first step is to connect to the server from a browser, on the same machine. That at least verifies that the program is running and connecting ok.

If that fails, I turn on error checking (just for the testing phase) to see if any useful errors appear. I also turn off any firewall running on the machine. In Windows 2008 especially you're not prompted (by default) to allow a program in the firewall you have to do that manually. (there's a firewall option to turn the automatic notifications back on as well.)

Once it's working on that machine, if it's still not visible from another machine, then it has to be either a router or firewall issue.

cheers
Bruce

[jking]

Bruce,

     The host server I'm using is Win 2003 Standard, and the firewall is turned off.  I have other NT apps both non-secure and secure on the first IP address assigned to the NIC.  I have problems with the newly added second IP on this same NIC.
     So, following your suggestion, I copied the server app to a local Vista machine and ran it.  I find I can connect to the app, running on port 443, using the browser on the same machine, with https://localhost or https://127.0.0.1.  In addition, two other machines on the same network can connect to this app.  However, I could not connect using IE 9 on my Win 7 development machine, but FireFox did work from this development machine.  So I'm pretty sure the app is working as expected.
     I will next recompile the server app with error messages turned on and bind the app to the second of two IP's on the host server machine.  This brings up a question.  On the host server machine, I have two external IP's with associated internal IP's.  I assume I want to bind to the internal IP address, is this correct? 

Thanks,

Jeff

[Bruce]

Hi Jeff,

>> I have other NT apps both non-secure and secure on the first IP address assigned to the NIC.

did you "bind" those apps to the one specific IP address? If not, they'll grab all the addresses.

Note that if you _do_ bind to an IP address, other addresses, like LocalHost, or 127.0.0.1 will not work anymore. So if my machine has 2 addresses, and I bind one app to 192.168.2.1 and the other to 192.168.2.2 then 127.0.0.1 will work for neither, I must use the 192 address to reach them.

Of course it's obvious when you think about it - but easy to forget - _all_ the apps need to be compiled bound to a NIC. (Incidentally I usually compile it to load the binding from an ini file or something.)

>> I assume I want to bind to the internal IP address, is this correct? 

correct.

Cheers
Bruce

[jking]

Bruce,

     Our network guy feels the root of my problem has to do with both IP's being on the same NIC.  The first IP has a non-NT app that runs on port 443.  I can't get any NT app to run with the second IP on port 443.  What do you think?  Should each IP be able to make use of port 443?
     It has been suggested I get a second NIC for our server and use the second IP on it.

Thanks,

Jeff

[jking]

Bruce,

     As another test, I activated the second NIC in our server.  I then assigned our second IP to that NIC.  I find I still cannot run a NT Server app on port 443.  I can run secure apps on non-standard ports such as 8002.  I have a self-signed wilcard certificate...works with port 8002 but not 443. 
     I also bought server space at RackSpace and moved the app to there.  Still I cannot run on port 443.
    Any chance there might be something in code that is causing this?

Thanks,

Jeff

[kevin plummer]

The first IP has a non-NT app that runs on port 443

> this also needs to be bound to an IP

I also bought server space at RackSpace and moved the app to there.  Still I cannot run on port 443

> make sure IIS is not running. It may be setup by default

[jking]

Kevin,

     Thanks for the advice.  The non-NetTalk app is 2X, a management shell around terminal services.  I don't know how I would bind this app to one of the IP's.  As for the Rackspace server, IIS was not installed by default so I'm not sure if there is anything else on port 443 on this machine.

     However, I have a partial solution.  I simply moved the 2X application, which communicates over SSL, to a non-standard port.  Now that 2X is not using port 443, my secure NetTalk app works as expected.

     It was my understanding that an IP address/Port combination was a unique socket.  I thought IP1:443 would be unique from IP2:443.  That is, I thought 2 different IP's could use the same port.  Each of my IP's is now on it's own NIC.

     I will now recompile the Multi-Host app to use port 443, as well as recompile the individual dll apps it will host.  All these apps will be bound to the same IP.  Hopefully this will resolve all my issues.

Thanks,

Jeff

[kevin plummer]

As for the Rackspace server, IIS was not installed by default so I'm not sure if there is anything else on port 443 on this machine.

> the general cause is either another app is already listening on that port or the firewall is blocking it. Check your process's running in task manager in case your own app has not shutdown properly and is still running or IIS or Apache. I would also test other non-std ports just to test the firewall.

 It was my understanding that an IP address/Port combination was a unique socket.  I thought IP1:443 would be unique from IP2:443.  That is, I thought 2 different IP's could use the same port.  Each of my IP's is now on it's own NIC.

> my understanding is the default behavior is to listen on a port across all IP's unless your app\web server is bound to an IP.

[Bruce]

>> The non-NetTalk app is 2X, a management shell around terminal services.  I don't know how I would bind this app to one of the IP's.

then it is likely bound to all IP's and so is likely the cause of the problem. You can obviously contact the vendor and ask about binding, or use a different server.

>> As for the Rackspace server, IIS was not installed by default so I'm not sure if there is anything else on port 443 on this machine.

Interesting - it may have changed - but on our rackspace machines IIS was installed, and had to be manually uninstalled.

>>  However, I have a partial solution.  I simply moved the 2X application, which communicates over SSL, to a non-standard port.  Now that 2X is not using port 443, my secure NetTalk app works as expected.

cool.

>>   It was my understanding that an IP address/Port combination was a unique socket.  I thought IP1:443 would be unique from IP2:443.  That is, I thought 2 different IP's could use the same port.  Each of my IP's is now on it's own NIC.

yes, each ip/port is a unique socket. Yes programs (by default) gobble up _all_ ip's on that port if given the chance. (including nettalk servers.)

You don't (as far as I know) need multiple NIC's. windows allows you to assign multiple IP addresses to a single NIC.

the key is the "binding". By default pretty much all programs will "bind" to all available IP addresses. (again, nothing to do with NICs). In order to split them apart, so you get separation, you _must_ bind _all_ the programs to a single IP address. If you absolutely positively cannot bind one of them, then it has to be started _after_ all the others. (that in itself can be tricky to do, especially on a server.)



Cheers
Bruce

[jking]

Bruce,

     Thanks for all your input.  I think it is time to set up a new virtual server for just my NetTalk apps and use the new second IP there.  Then I can go back to one IP on the physical server.

Jeff

[jking]

Bruce,

     Now I have a new virtual win 2008 server with 1 IP address.  I'm now back to the Multi-Host app on port 443.  It is running fine and displays the dll app in the Servers list and I'm using a self-signed wildcard certificate.  The certificate has been installed on the server.  Now I find the dll app sever won't run, IE says "...cannot display the web page".  This is all very frustrating.  One step forward, two steps back.  Any ideas?

Thanks,

Jeff

[jking]

Bruce,

     I have the host.exe from the multi-host app, set to use port 443 and ssl.  In the dll apps, do all these also need to be set to port 443 and ssl?  Or is it sufficient that the host.exe is listening on port 443?

Thanks,

Jeff

[jking]

Bruce,

    I have made some success by moving to a new virtual Win server 2008.  Here I have one IP and do not bind to it.  Using port 443 with a self-signed wildcard certificate.  I have added two apps to the host.  One is Mint, which has SecWin included.  Another is Risk, which does not have SecWin included.  These two co-exist just fine.  Please see the image host.png. 
     As soon as I add a third app called Xoft, which has SecWin included, the host crashes.  I have included an image (hostcrash.png) of the GPFReport file that is generated with regards to the XoftIORT.dll file associated with the Xoft app.  It indicates that the CLAWE.dll (WinEvent) file is for C7.3.  Is this the cause of all this?
     In addition, before I add the Xoft app which causes a crash, I have also noticed another problem.  When I added the first app with Insert, I found I had to restart the host app.  The browser displays "...Waiting for response from xx.xx.xx.xx, my host server IP address.  Once I restart the Host.exe app, I then use Copy of the first app to help add the second app.  I get the same symptom and must again restart the host.exe.  After this I can access both of the apps in the host just fine.
     This all seems a lot more difficult than it should be.  I really need help here to resolve these issues.

Thanks,

Jeff

[attachment deleted by admin]