• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Single IP but need multiple SSL ports coming in

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Single IP but need multiple SSL ports coming in Page: [1]
Login
Message << Older Topic   Newer Topic >>
Single IP but need multiple SSL ports coming in - 4.Mar.2009 9:14:33 PM   
davidn

 

Posts: 16
Joined: 30.Aug.2005
Status: offline
Hi all - ISA 2006 std in a 3-leg scenario...I can see that there has been a fair bit of discussion about this but not quite sure if I understand it fully, I want to publish Active Sync, OWA, TS Gateway and a few secure directories on the webserver which sits in the DMZ the other boxes TS, E2K7 etc reside internally + I am using a wildcard certificate.

Some people have said to add a virtual IP so how do you do this so I can use multiple instances of port 443 pointing to an dmz/internal IP - would welcome any pointers :)
Post #: 1
RE: Single IP but need multiple SSL ports coming in - 12.Mar.2009 4:42:43 AM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
David,

I have to say I'm not sure why you would want multiple IP addresses in this scenario, but to cover that topic first:
You can add as many IP addresses as you like to your NIC by going to Network Connections, and selecting the properties of the card that you want multiple bindings for. Then go to TCP/IP properties, and select Advanced. On the IP Settings tab, you can add further addresses.

So, that is how you would do it. The next question is why would you want to do it?

HTTPS effectively only supports one certificate per IP address. This gives the client authentication of the server. The client requests an HTTPS connection for server.domain and is returned a certificate which it can use to match to server.domain, so that it can be sure that it has come to the correct server.

However, you have a wildcard certificate, so the client requests server.domain and gets a certificate back for *.domain. This is acceptable and will not raise a warning to the client. That means that you could have HTTPS connections for owa.domain, activesync.domain and any others within the .domain domain covered by this certificate. You can then publish the different servers based on this FQDN information.

This means that you can publish all these sites on the same IP address. You do not need multiple addresses.

Hope this helps.

YoY

(in reply to davidn)
Post #: 2
RE: Single IP but need multiple SSL ports coming in - 12.Mar.2009 2:00:53 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Be careful, as not all mobile devices support wildcard certificates (windows mobile 5 for example)...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to RuiFiske)
Post #: 3
RE: Single IP but need multiple SSL ports coming in - 13.Mar.2009 1:00:25 AM   
davidnewman

 

Posts: 10
Joined: 10.Oct.2006
Status: offline
Hi RuiFiske - many thanks for the reply...you are correct - I was under the assumption that if I had multiple servers and I wanted to pass https I would need more than one IP - I was very wrong (live and learn they say) - you are exactly right, I purchased a wildcard certificate and it all works a treat although using a wildcard may pose some security concerns.

JJ - I had that exact problem with a WM5 device and a wildcard!

thanks guys :)

(in reply to RuiFiske)
Post #: 4
RE: Single IP but need multiple SSL ports coming in - 13.Mar.2009 4:50:30 AM   
RuiFiske

 

Posts: 96
Joined: 8.Dec.2004
From: London
Status: offline
Pleased to help.

Jason is correct, of course. Not all environments support wildcard certificates. ISA Server 2004 itself did not support them when it first came out. If you're going to be using a wildcard certificate, then you need to ensure that it will be fully supported by all clients.

YoY

(in reply to davidnewman)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Single IP but need multiple SSL ports coming in Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts