Solved

Binding port 443 to single IP on network.

Posted on 2010-08-30
12
474 Views
Last Modified: 2012-06-21
I am having an issue at my company where we are trying to connect to a payroll service that constantly disconnects us.  I was speaking to the tech support guy and he asked if I have multiple Internet connections on my network (i do).  He informed me that if our connections switch over while logged into their service, they automatically break the connection as they see it as a security issue.  His suggestion was to bind all port 443 traffic to one of my IPs on my network so this does not happen.

My questions are as follows:

1. Is this a good suggestion?

2. Is this even possible?  What would be the possbile pros/cons?

3. Should I just deal with it?

Any help would be greatly appreciated.

Thanks in advance!
0
Comment
Question by:paulms53
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 8

Expert Comment

by:sstone55423
ID: 33560487
There are many ways to deal with this, depending on the type of firewall that you have.  What could be happening is that you establish an outbound connection on one outbound router, and then the next HTTPS query goes through the other one, and this confused the end connection.  
 
You could try to allow HTTPS thorugh only one of the routers, using the firewall.  Also, some firewalls allow you to make it always continue a conenction through the same outbound connection, which does not seem to be the case with your fireall currently.
 
For us to answer the question for you, we would need a better idea of the firewall router topology, and the types of devices used.
0
 
LVL 5

Expert Comment

by:jlanderson1
ID: 33560555
What I would do is create a default route that points all HTTPS (443) traffic out through one of your routers.  Then bind incoming traffice on port 443 back to the same router.  That will ensure 2 way traffic through one source.

One possible downside is that ALL https traffic will be using one connection, and there is no redundancy.
0
 
LVL 5

Accepted Solution

by:
kpoochi earned 125 total points
ID: 33560795
1. Is this a good suggestion? It is good suggestion. However it might create some issues for Outlook Web Access for the users

2. Is this even possible?  What would be the possbile pros/cons? Cons is sometimes OWA might not work

3. Should I just deal with it? Best would be change the payroll service to run on one of your IPs as it is a internal service.
0
 
LVL 4

Assisted Solution

by:Zupreme
Zupreme earned 125 total points
ID: 33560948
I do not recommend the solution advised by your technician.  if you do what he suggests and the network that you have routed all 443 traffic through goes down for any reason, you and your users will be completely unable to access any HTTP websites whatsoever, unless you make another change to the firewall.

A more reasonable solution is to set up a NAT entry on your firewall that will associate all 443 traffic intended for your specific vendor's IP range (get that from the vendor) with the outside interface IP of one of your ISP connections.
0
 
LVL 4

Expert Comment

by:Zupreme
ID: 33560995
Amendment:  i meant to say that you woul dbe unable to access any HTTPS websites (not HTTP).
0
 
LVL 8

Assisted Solution

by:sstone55423
sstone55423 earned 125 total points
ID: 33561247
The NAT solution results in no service for HTTPS when one connection is down.  Depending on the firewall, there are different possibilities.  What is the topology?

NAT for 443 to one router is effectively the same as a default route via one router.  The issue is that you can't really set a default route for a protocol. You set a default route for a destination host or network IP address. You can make a NAT entry for a protocol (HTTPS) on most firewalls.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:paulms53
ID: 33561352
Both internet connections bind to our Firewall(also gateway), which is a Firebox x550e. The Firebox then connects to three switches for our internal LAN, which are connected to our servers and client machines.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 125 total points
ID: 33569285
I want to go back to the original post.

1. What the tech told you is not the solution,...it doesn't even acknowledge the real problem.

2. The SSL is supposed to disconnect like it is.  SSL is about security, and security can't be guaranteed if it is allowed to keep running while jumping links.  How do you tell the difference between a session hijack and a line jump??

3. Doing what they ask is,...one,...to a certain degree, impossible but depends on the exact equipment you use (meaning I can't speak for all hardware products and what their abilities are or are not),...and secondly,...will potentially screw up any site you may have that uses SSL and are accessed from the outside (like Exchange's Outlook Web Access)

4. The solution is just a partial solution and it would be to stop using the Dual ISP solution as a Load Balancing solution (uses both line equally or semi equally).  You have to use it in a Failover Mode where it always uses one prefered connection and the second connection lies dormant and is never used unless the first connection goes down.  Yes,..SSL will still drop if it changes lines,...that is expected and it will happen.

Some Load Balancing type solutions may work but only if the equipment is capable and is configure to keep track of individual sessions and makes sure that once a session is established it will stay on the same line.  Not all equipment may work that way.
0
 
LVL 1

Author Comment

by:paulms53
ID: 33569324
I'm happy about the feedback and am happy to say that the Firebox has a solution called "Sticky Connection" which allows me to select a connection to use whenever a client on my end connects to a particular website or service until a predefined timeout, when it will then switch over to my secondary connection.  I went into the firewall and found that the timeout was set to 3 minutes (bad!) so I set it to 1 hour and now I don't seem to have the problem anymore(good!)

I was never considering binding all 443 connections to 1 IP, I was just looking for confirmation of my initial instinct and am happy that I was correct in my assumption.

Thanks to all for your input!
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33569425
to bind all port 443 traffic to one of my IPs

That really is just not even possible.  SSL is an application Layer Protocol that operates from Layer4 all the way to Layer7.  The IP Addresses operate at Layer3.  So they don't even live in the same "world".

The only thing that would have this happen is to have routing equipment that can do Protocol-Based Routing.   In the case of the Watchguard box which is handling the firewalling and WAN routing,...I really doubt it is capable of doing that.   But I could be wrong,..you could check the WG docs and see.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33569470
Looks like we posted at the same time.  If the WG did Protocol Based Routing that would be a solution.  But moving the Timeout up higher will work a little bit,..but users may stay on the site more than an hour,...so the problem could still happen, but just less often.  But in any case it looks like you are better off then you were.

0
 
LVL 1

Author Comment

by:paulms53
ID: 33569510
I agree w/ you totally pwindell.   Believe me, it allows me to relax more knowing my instincts were right.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now