Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

Binding port 443 to single IP on network.

I am having an issue at my company where we are trying to connect to a payroll service that constantly disconnects us.  I was speaking to the tech support guy and he asked if I have multiple Internet connections on my network (i do).  He informed me that if our connections switch over while logged into their service, they automatically break the connection as they see it as a security issue.  His suggestion was to bind all port 443 traffic to one of my IPs on my network so this does not happen.

My questions are as follows:

1. Is this a good suggestion?

2. Is this even possible?  What would be the possbile pros/cons?

3. Should I just deal with it?

Any help would be greatly appreciated.

Thanks in advance!
0
paulms53
Asked:
paulms53
  • 3
  • 3
  • 2
  • +3
4 Solutions
 
sstone55423Commented:
There are many ways to deal with this, depending on the type of firewall that you have.  What could be happening is that you establish an outbound connection on one outbound router, and then the next HTTPS query goes through the other one, and this confused the end connection.  
 
You could try to allow HTTPS thorugh only one of the routers, using the firewall.  Also, some firewalls allow you to make it always continue a conenction through the same outbound connection, which does not seem to be the case with your fireall currently.
 
For us to answer the question for you, we would need a better idea of the firewall router topology, and the types of devices used.
0
 
jlanderson1Commented:
What I would do is create a default route that points all HTTPS (443) traffic out through one of your routers.  Then bind incoming traffice on port 443 back to the same router.  That will ensure 2 way traffic through one source.

One possible downside is that ALL https traffic will be using one connection, and there is no redundancy.
0
 
kpoochiCommented:
1. Is this a good suggestion? It is good suggestion. However it might create some issues for Outlook Web Access for the users

2. Is this even possible?  What would be the possbile pros/cons? Cons is sometimes OWA might not work

3. Should I just deal with it? Best would be change the payroll service to run on one of your IPs as it is a internal service.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
ZupremeCommented:
I do not recommend the solution advised by your technician.  if you do what he suggests and the network that you have routed all 443 traffic through goes down for any reason, you and your users will be completely unable to access any HTTP websites whatsoever, unless you make another change to the firewall.

A more reasonable solution is to set up a NAT entry on your firewall that will associate all 443 traffic intended for your specific vendor's IP range (get that from the vendor) with the outside interface IP of one of your ISP connections.
0
 
ZupremeCommented:
Amendment:  i meant to say that you woul dbe unable to access any HTTPS websites (not HTTP).
0
 
sstone55423Commented:
The NAT solution results in no service for HTTPS when one connection is down.  Depending on the firewall, there are different possibilities.  What is the topology?

NAT for 443 to one router is effectively the same as a default route via one router.  The issue is that you can't really set a default route for a protocol. You set a default route for a destination host or network IP address. You can make a NAT entry for a protocol (HTTPS) on most firewalls.
0
 
paulms53Author Commented:
Both internet connections bind to our Firewall(also gateway), which is a Firebox x550e. The Firebox then connects to three switches for our internal LAN, which are connected to our servers and client machines.
0
 
pwindellCommented:
I want to go back to the original post.

1. What the tech told you is not the solution,...it doesn't even acknowledge the real problem.

2. The SSL is supposed to disconnect like it is.  SSL is about security, and security can't be guaranteed if it is allowed to keep running while jumping links.  How do you tell the difference between a session hijack and a line jump??

3. Doing what they ask is,...one,...to a certain degree, impossible but depends on the exact equipment you use (meaning I can't speak for all hardware products and what their abilities are or are not),...and secondly,...will potentially screw up any site you may have that uses SSL and are accessed from the outside (like Exchange's Outlook Web Access)

4. The solution is just a partial solution and it would be to stop using the Dual ISP solution as a Load Balancing solution (uses both line equally or semi equally).  You have to use it in a Failover Mode where it always uses one prefered connection and the second connection lies dormant and is never used unless the first connection goes down.  Yes,..SSL will still drop if it changes lines,...that is expected and it will happen.

Some Load Balancing type solutions may work but only if the equipment is capable and is configure to keep track of individual sessions and makes sure that once a session is established it will stay on the same line.  Not all equipment may work that way.
0
 
paulms53Author Commented:
I'm happy about the feedback and am happy to say that the Firebox has a solution called "Sticky Connection" which allows me to select a connection to use whenever a client on my end connects to a particular website or service until a predefined timeout, when it will then switch over to my secondary connection.  I went into the firewall and found that the timeout was set to 3 minutes (bad!) so I set it to 1 hour and now I don't seem to have the problem anymore(good!)

I was never considering binding all 443 connections to 1 IP, I was just looking for confirmation of my initial instinct and am happy that I was correct in my assumption.

Thanks to all for your input!
0
 
pwindellCommented:
to bind all port 443 traffic to one of my IPs

That really is just not even possible.  SSL is an application Layer Protocol that operates from Layer4 all the way to Layer7.  The IP Addresses operate at Layer3.  So they don't even live in the same "world".

The only thing that would have this happen is to have routing equipment that can do Protocol-Based Routing.   In the case of the Watchguard box which is handling the firewalling and WAN routing,...I really doubt it is capable of doing that.   But I could be wrong,..you could check the WG docs and see.
0
 
pwindellCommented:
Looks like we posted at the same time.  If the WG did Protocol Based Routing that would be a solution.  But moving the Timeout up higher will work a little bit,..but users may stay on the site more than an hour,...so the problem could still happen, but just less often.  But in any case it looks like you are better off then you were.

0
 
paulms53Author Commented:
I agree w/ you totally pwindell.   Believe me, it allows me to relax more knowing my instincts were right.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now