Solved

Need to allow port 446 thru the firewall

Posted on 2008-09-30
10
1,142 Views
Last Modified: 2012-08-13
I am a total newbie on Pix 515.   I have a two websites sitting on the DMZ.  They share the same IP address.  I am using host headers to direct to the correct site.  They both use SSL.  One is using port 443 and the other is using port 446.  IP of the web server is 192.168.1.5

https works for the website using port 443, but the site using port 446 can only be accessed on the LAN, not the WAN.    

Any help on how to open port 446 on the PIX so this site can be accessed from the outside would be appreciated.

0
Comment
Question by:FMAIntl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Expert Comment

by:yans
ID: 22610759
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22611201
you have to create a static xlate, then open the port in the access-list.

static (inside,outside) tcp interface 446 192.168.1.5 446 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 446
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22611557
Yes, this does pose a problem... if you're trying to host 2 SSL websites on the same IP address you will need a  web server that supports SSL host headers (like IIS 7). It is not possible to run two SSL websites on port 443 on the same IP address unless you have SSL host headers.
You CAN open up port 446 to the outside, but this is NOT a pratical solution as ALL browsers default to port 443 for SSL. Maintaining redirects and proper linking in an SSL site that doesn't use the default port is a nightmare and usually unmaintainable. It's especially bad if the same code ever runs on a regular HTTP (port 80) connection.
I highly recommend getting a second public static IP from your ISP. That is the correct solution to this problem. Redirecting to port 446 will cause problems with web search engines that crawl the site and lots of other things.
BTW -- if you have Vista business or ultimate or Windows Server 2008, you have IIS 7. This is the only way to do this with one public IP and two or more SSL sites. I don't believe there is currently an open source or free web server that supports SSL host headers (What? MS invented something? Lol.).
Let me know if that info helps!
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:FMAIntl
ID: 22619982
The server is 2003 Server and I am running IIS 6.

Both sites on this webserver are actually for employees only.  The application I am trying to use port 446 for actually requires SSL.   So, when the employees are given the URL, I can actually put in mysite.com:446 in the message for the URL to book mark.

 Does that change any of the recommendations or do I still need to get a second IP?  I would rather not burn one for an employee only app.
0
 

Author Comment

by:FMAIntl
ID: 22619995
lrmoore - you mentioned these two commands
static (inside,outside) tcp interface 446 192.168.1.5 446 netmask 255.255.255.255
access-list outside_access_in permit tcp any interface outside eq 446

Can I just put those into the command line function in the Pix PDM?  I do not know how to make changes to that firewall other than thru the PDM.
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 250 total points
ID: 22620041
If the app has no problem using 446 then go for it and avoid wasting that IP! It's just not recommended for public sites.
Yes, you can enter those through the command function of the PDM. Those setup the forwarding of port 446 as requested.
Please note that the access-list command needs to have the name replaced with the name of your current access-list.
0
 

Author Comment

by:FMAIntl
ID: 22620366
Pugglewuggle's comments made me think.  I want to do this the right way.  I realized I had never actually used https to access the other website from outside the LAN, only http. So I tried https://stuff.mysite.com and that and it doesn't work either! I get invalid hostname.  

So now I wonder what is using port 443.   Netstat/PUTIL shows that  Citrix Metaframe Secure Gateway is listening on port 443.  

I had assumed the first site had port 443 set in the SSL port in IIS, well it was actually set to port 444.  I had assumed it was using 443 (sorry should have checked before I submitted the question).

So now I have Citrix using port 443 for SSL.  That access works.  But, my other two sites https access don't work at all.  

So, does that mean I need to have 3 public IPs?   I said I was a newbie, so here is a dumb question -

I get a two new public IPs for these two sites. I would have to
1 - Change the PIX to route https traffic for those new IPs to 192.168.1.5.  
2 - In IIS - remove the host headers
3 - In IIS - change the sites to use the public ips instead of 192.168.1.5
4 -In IIS - change the SSL ports to 443 for these sites.  
 
Here is dumb question #2 -  I get an error now trying to use port 443 for SSL on the site because Citrix has it.  Will I still have that same problem and have to use a different port for SSL? Then aren't I back at square one?   Don't laugh - I said I was new at this!
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 250 total points
ID: 22620453
That is right: it won't work from the inside by default. You need a thing called "hairpinning" to access servers from inside the LAN.
Is the 1st site a public site or another employee site (the 444 one)?
Is there a way to get Citrix to work on a port other than 443? If not, and the 1st site is for the public, you will need to use another public IP.
No - you don't have to have 3 public IPs. For that matter, you can theoretically run over 65,000 SSL sites on one public IP. The only 3 times you really need to use port 443 are a) when the site is for use by the public. Search engines don't like SSL sites not being on 443, and b) if more than one of the apps running SSL cannot be used a port other than 443, or c) you have a public site and the something that also has to run on SSL (in this case you need 2 IPs).
What error do you get when trying to access site?
I'm not laughing - getting SSL setup can be complicated at times. :) I understand.
0
 

Author Comment

by:FMAIntl
ID: 22620578
The site using 444 is also an en employee only site.   All the public sites are hosted off site, which is why I don't know how to set some of this stuff up, that is all done by the hosting site:)

I haven't tried to move Citrix to another port, I could try that.

The site using port 444 gets a generic error BadHost - Invalid address when I try to use HTTPS to access it over the WAN using https://stuff.mysite.com:444. If I use http://mystuff.mysite.com, it works fine.


0
 

Author Comment

by:FMAIntl
ID: 22620698
PIX didn't allow 444 either.  I added both 446 and 444 and everything works now.  Thanks for the help and the education on this topic!!
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question