?
Solved

Binding port 443 to single IP on network.

Posted on 2010-08-30
12
Medium Priority
?
482 Views
Last Modified: 2012-06-21
I am having an issue at my company where we are trying to connect to a payroll service that constantly disconnects us.  I was speaking to the tech support guy and he asked if I have multiple Internet connections on my network (i do).  He informed me that if our connections switch over while logged into their service, they automatically break the connection as they see it as a security issue.  His suggestion was to bind all port 443 traffic to one of my IPs on my network so this does not happen.

My questions are as follows:

1. Is this a good suggestion?

2. Is this even possible?  What would be the possbile pros/cons?

3. Should I just deal with it?

Any help would be greatly appreciated.

Thanks in advance!
0
Comment
Question by:paulms53
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 33560487
There are many ways to deal with this, depending on the type of firewall that you have.  What could be happening is that you establish an outbound connection on one outbound router, and then the next HTTPS query goes through the other one, and this confused the end connection.  
 
You could try to allow HTTPS thorugh only one of the routers, using the firewall.  Also, some firewalls allow you to make it always continue a conenction through the same outbound connection, which does not seem to be the case with your fireall currently.
 
For us to answer the question for you, we would need a better idea of the firewall router topology, and the types of devices used.
0
 
LVL 5

Expert Comment

by:jlanderson1
ID: 33560555
What I would do is create a default route that points all HTTPS (443) traffic out through one of your routers.  Then bind incoming traffice on port 443 back to the same router.  That will ensure 2 way traffic through one source.

One possible downside is that ALL https traffic will be using one connection, and there is no redundancy.
0
 
LVL 5

Accepted Solution

by:
kpoochi earned 500 total points
ID: 33560795
1. Is this a good suggestion? It is good suggestion. However it might create some issues for Outlook Web Access for the users

2. Is this even possible?  What would be the possbile pros/cons? Cons is sometimes OWA might not work

3. Should I just deal with it? Best would be change the payroll service to run on one of your IPs as it is a internal service.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 4

Assisted Solution

by:Zupreme
Zupreme earned 500 total points
ID: 33560948
I do not recommend the solution advised by your technician.  if you do what he suggests and the network that you have routed all 443 traffic through goes down for any reason, you and your users will be completely unable to access any HTTP websites whatsoever, unless you make another change to the firewall.

A more reasonable solution is to set up a NAT entry on your firewall that will associate all 443 traffic intended for your specific vendor's IP range (get that from the vendor) with the outside interface IP of one of your ISP connections.
0
 
LVL 4

Expert Comment

by:Zupreme
ID: 33560995
Amendment:  i meant to say that you woul dbe unable to access any HTTPS websites (not HTTP).
0
 
LVL 8

Assisted Solution

by:sstone55423
sstone55423 earned 500 total points
ID: 33561247
The NAT solution results in no service for HTTPS when one connection is down.  Depending on the firewall, there are different possibilities.  What is the topology?

NAT for 443 to one router is effectively the same as a default route via one router.  The issue is that you can't really set a default route for a protocol. You set a default route for a destination host or network IP address. You can make a NAT entry for a protocol (HTTPS) on most firewalls.
0
 
LVL 1

Author Comment

by:paulms53
ID: 33561352
Both internet connections bind to our Firewall(also gateway), which is a Firebox x550e. The Firebox then connects to three switches for our internal LAN, which are connected to our servers and client machines.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 500 total points
ID: 33569285
I want to go back to the original post.

1. What the tech told you is not the solution,...it doesn't even acknowledge the real problem.

2. The SSL is supposed to disconnect like it is.  SSL is about security, and security can't be guaranteed if it is allowed to keep running while jumping links.  How do you tell the difference between a session hijack and a line jump??

3. Doing what they ask is,...one,...to a certain degree, impossible but depends on the exact equipment you use (meaning I can't speak for all hardware products and what their abilities are or are not),...and secondly,...will potentially screw up any site you may have that uses SSL and are accessed from the outside (like Exchange's Outlook Web Access)

4. The solution is just a partial solution and it would be to stop using the Dual ISP solution as a Load Balancing solution (uses both line equally or semi equally).  You have to use it in a Failover Mode where it always uses one prefered connection and the second connection lies dormant and is never used unless the first connection goes down.  Yes,..SSL will still drop if it changes lines,...that is expected and it will happen.

Some Load Balancing type solutions may work but only if the equipment is capable and is configure to keep track of individual sessions and makes sure that once a session is established it will stay on the same line.  Not all equipment may work that way.
0
 
LVL 1

Author Comment

by:paulms53
ID: 33569324
I'm happy about the feedback and am happy to say that the Firebox has a solution called "Sticky Connection" which allows me to select a connection to use whenever a client on my end connects to a particular website or service until a predefined timeout, when it will then switch over to my secondary connection.  I went into the firewall and found that the timeout was set to 3 minutes (bad!) so I set it to 1 hour and now I don't seem to have the problem anymore(good!)

I was never considering binding all 443 connections to 1 IP, I was just looking for confirmation of my initial instinct and am happy that I was correct in my assumption.

Thanks to all for your input!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33569425
to bind all port 443 traffic to one of my IPs

That really is just not even possible.  SSL is an application Layer Protocol that operates from Layer4 all the way to Layer7.  The IP Addresses operate at Layer3.  So they don't even live in the same "world".

The only thing that would have this happen is to have routing equipment that can do Protocol-Based Routing.   In the case of the Watchguard box which is handling the firewalling and WAN routing,...I really doubt it is capable of doing that.   But I could be wrong,..you could check the WG docs and see.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33569470
Looks like we posted at the same time.  If the WG did Protocol Based Routing that would be a solution.  But moving the Timeout up higher will work a little bit,..but users may stay on the site more than an hour,...so the problem could still happen, but just less often.  But in any case it looks like you are better off then you were.

0
 
LVL 1

Author Comment

by:paulms53
ID: 33569510
I agree w/ you totally pwindell.   Believe me, it allows me to relax more knowing my instincts were right.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question