• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Different SSL Websites on one IP and one Port

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Different SSL Websites on one IP and one Port Page: [1]
Login
Message << Older Topic   Newer Topic >>
Different SSL Websites on one IP and one Port - 13.Apr.2004 9:46:00 PM   
sanfrancesco

 

Posts: 16
Joined: 13.Apr.2004
From: Germany
Status: offline
Can ISA Server 2000 distribute SSL traffic to different back end Webservers based on the host header supplied to the Web listener interface ?

We have a server with only one public IP address and clients behind a firewall that enables SSL traffic only on 443. Since we want to use OWA and Citrix, we need to distribute on a host-header basis.

I couldn't find anything in "ISA Server and beyond", so it's probably not a feature.
Post #: 1
RE: Different SSL Websites on one IP and one Port - 13.Apr.2004 11:40:00 PM   
ljp1967

 

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline
Hi sanfrancesco,

See Article:
http://www.isaserver.org/tutorials/Publishing_Multiple_Web_Sites_using_Web_Publishing_Rules.html

I assume that you have 2 Real World FQDN's that point to the same External IP address (ie owa.mydomain.com & nfuse.mydomain.com) and that you are using SSL for both sites...but you have problem with certificates...

See this article to get around limitation of single external IP and certificates...
http://www.isaserver.org/tutorials/2004wildcardcert.html

HTH,
ljp

(in reply to sanfrancesco)
Post #: 2
RE: Different SSL Websites on one IP and one Port - 15.Apr.2004 12:04:00 AM   
sanfrancesco

 

Posts: 16
Joined: 13.Apr.2004
From: Germany
Status: offline
Thank You very much, ljp.
I would have phrased the question more intelligently if I had read through this site a little more.
Microsoft should be paying You people money, because without the information on this site ISA server is worth only half.
We've succeeded in publishing multiple sites distinguished only by the host header. It even works with SSL using the wildcard certificate.
However, publishing the Cisco Secure Gateway results in the SSL error 4 described in the post
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=6;t=002427.
The solution described by MarcusPA suggests that it should work if the ISA server passed it's internal IP to the CSG.
As I understand, using Web publishing, this happens by design, as it shouls result in reverse proxying.
Could this be a problem with non-http content? I thought ISA didn't care about the nature of the containded application protocol.
Thanks for the help.

(in reply to sanfrancesco)
Post #: 3
RE: Different SSL Websites on one IP and one Port - 15.Apr.2004 2:16:00 AM   
ljp1967

 

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline
Hi sanfrancesco,

Is your ISA server behind a PIX (or other firewall)...?

Are you trying to Web Publish CSG...? If so you might need to do it another way. CSG is not actually a web site, it is only a service that listens on the port you specify (normally 443) with a certificate assigned to it (Important note: the certificate name has to match the FQDN that you specify in your Nfuse settings for CSG).

One way is to Server Publish CSG but you may need to change the port that it listens on to avoid contention with your SSL listener. This would also involve adding this port to your external firewall the same way you have done for port 443

If you Server Publish CSG then you might need to apply this MS Kb Article fix to enable ISA to send it's IP as the source address so CSG sends the reply back to ISA instead of trying to send direct to external client... (as per MarcusPA topic)

http://support.microsoft.com/default.aspx?scid=kb;en-us;311777

Let me know how this goes....

Side Note: In our environment we have 2 real world ip's published on the PIX for Citrix Nfuse and CSG, one is for the nfuse web publishing rule (via SSL) and the other is for the CSG service (both running on the ISA server itself which is in caching-only mode in a DMZ). Applied disablesocketpooling vbs scripts for Win2000 to get this to work.

thanks,
ljp

[ April 15, 2004, 03:02 AM: Message edited by: ljp1967 ]

(in reply to sanfrancesco)
Post #: 4
RE: Different SSL Websites on one IP and one Port - 15.Apr.2004 9:03:00 AM   
sanfrancesco

 

Posts: 16
Joined: 13.Apr.2004
From: Germany
Status: offline
I'm sorry, I intended to write Citrix Secure Gateway.
What we're trying to do, basically, is trying to see if it's possible to run both CSG and OWA with SSL on one external IP, because our Internet Provider is low on public IPs. It all has to run on 443, because we want to be able to reach it from behind a firewall. After all, quite an ambitous configuration ;-).
It appears that ISA Server, having unpacked the CSG request, isn't able to build a new SSL channel to the CSG server, whereas everything works fine with OWA. We have a working Split DNS configuration, so that shouldn't be the problem.
Thanks for the help, although I don't know if this is feasible at all.
I'm looking into ISA 2004 at the moment to see if there's maybe some new feature that could make this work.

(in reply to sanfrancesco)
Post #: 5
RE: Different SSL Websites on one IP and one Port - 15.Apr.2004 2:43:00 PM   
ljp1967

 

Posts: 192
Joined: 23.Sep.2003
From: Australia
Status: offline
hi sanfrancesco,

double-checking, is your ISA server behind a PIX or similar Hardware firewall....?
(ie: Internet<-->PIX<-->ISA<-->Internal LAN )

Where are you running NFUSE and CSG...? on the internal network...?

Here is a Citrix KB Article concerning SSL Error 4
http://support.citrix.com/kb/entry!default.jspa?categoryID=185&entryID=1730&fro mSearchPage=true

Back to Citrix Secure Gateway, this is not actually a website, it is only a service that listens on 443 (or other port that you specify), so you will not be able to use web publishing in ISA to forward requests/traffic to the internal CSG box.

Options here are: (this only applies if your isa is behind another firewall, otherwise you might not be able to get CSG going)

1: to have 2 Real World IP's that NAT through the PIX to 2 DMZ IP's (actually 2 IP's on External Interface of your ISA box), one is used for a SSL Listener for your NFuse Web Publishing Rule, the other is used for the CSG service (which is installed on your ISA box itself), this is where you need to disable socketpooling.

Now, you said that you can only have one Real World IP which will make things a bit more difficult. This is where someone else might need to advise, but it could be an option for the PIX to examine the packets and forward them to either the 1st IP on ISA external interface or the 2nd IP on the ISA exteranl interface based on the header details in the packet, this may not be possible....

thanks,
ljp

[ April 15, 2004, 04:04 PM: Message edited by: ljp1967 ]

(in reply to sanfrancesco)
Post #: 6
RE: Different SSL Websites on one IP and one Port - 3.Dec.2004 4:50:00 AM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
Sorry to bring this post up again, but I'm right at the point where this kindof leaves off. Please still be around to answer this question! [Wink]

What do you mean by:
>>>the other is used for the CSG service (which is installed on your ISA box itself), this is where you need to disable socketpooling.

How do you disable socketpooling and is the ISA box the only place that CSG service will actually work? I can't place it behind the ISA box?

Man... I'm so close, I can just smell it... this will be huge if I get it to work!

-Tim

(in reply to sanfrancesco)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Web Publishing >> Different SSL Websites on one IP and one Port Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts