Problem: Unable to connect to virtual server / IP-address for load balacing by gateway over Port 443

emikroDE 21 Reputation points
2023-07-07T11:03:45.88+00:00

Hey I have a problem.

To accomplish:
We want to connect to the virtual server / IP-address / hostname for load balancing reasons from servers and clients through port 443.

Envoriment:

  • Two subnets - Clients and server
  • Windows DNS-Server in server-subnet
    • Same Windows DNS-Server set for server & clients
      • Conditional forwarding to gateway -> everything except own domain and one stub zone

Gateway connects both subnet

  • Can be used for resolving DNS
  • Hosting a virtual server / IP-address / hostname for load balancing
  • Hostname uses FQDN of domain in use for this case. A-Record in Windows DNS-Server was created for this hostname, too
    • Its pointing to 3 real servers in the server subnet (but no Windows)

Problem:
Servers cannot connect via the virtual server.

  • Its pointing to 3 real servers in the server subnet (but no Windows)
  • Servers cannot connect via the virtual server.
  • Test-Netconnection IP & Hostname -> Connect TCP 443 failed; NextRoute (NextHop): 0.0.0.0
  • No entries in Firewall-logfile (not even blocked)
  • No entries in Gateway-Firewall Livelog (because of same interface)
  • No entries in Wireshark for Port 443 and the requested IP
  • Tried without GPOs -> no success
  • Called FQDN over internet browser: Wireshark shows many requests to external IP-addresses not the designated IP

What works:

  • Clients from other interface and other subnet in same domain can reach the virtual server and will open the requested site.
    They getting the DNS name for the requested IP from Windows DNS-Server and a NextHop (Test-Netconnection) to the Gateway. Reminder: Servers getting NextHop 0.0.0.0.
  • Clients from other interface, network and other domain can reach the virtual server and will open the requested site (WinDNS: conditional forwarding to Windows DNS-Server in our domain).
  • Servers can connect to the WSUS in a different network and domain over Port 443 (they receiving the DNS-Record from the gateway).

The only difference between clients and server seems to be, that the communication of all clients have to go through the gateway, starting contacting the Windows DNS-Server.

Does anybody has some ideas what could be the issue here or what I can try next? Thank you!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,574 questions
{count} votes

1 answer

Sort by: Most helpful
  1. emikroDE 21 Reputation points
    2023-07-12T08:10:35.4933333+00:00

    We may have found the issue. Windows seems to work correctly.

    Our Sophos UTM has a known bug for its load balancer. Load balancing is not working for the subnet where the virtual IP is located.

    Until we have preparted a better solution (new hardware or further network splitting) for this problem we using Windows DNS for load balancing.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.