Publishing Multiple HTTPS websites with multiple SSL cerifitcates using Cisco ASA 5505. Do I need multiple external IP addresses?
Hello,
Currently, we have one public IP address on the external interface of the ASA 5505 device. We are needing to host several HTTPS websites using multiple SSL certificates. A SAN certificate or wildcard certificate is not an option due to business requirements. We also have Forefront TMG running as a reverse proxy in the DMZ and it can be assigned multiple IP addresses within the DMZ. My question is it possible to host these multiple sites using only one public IP address on the Cisco ASA? Or do I need a public IP for each site since it is using SSL? Thanks in advance. Please let me know if clarification is needed.
Currently, we have one public IP address on the external interface of the ASA 5505 device. We are needing to host several HTTPS websites using multiple SSL certificates. A SAN certificate or wildcard certificate is not an option due to business requirements. We also have Forefront TMG running as a reverse proxy in the DMZ and it can be assigned multiple IP addresses within the DMZ. My question is it possible to host these multiple sites using only one public IP address on the Cisco ASA? Or do I need a public IP for each site since it is using SSL? Thanks in advance. Please let me know if clarification is needed.
I don't "do" ASA so I can't help with that.
You did post this in the Forefront forum, so I answered what I could based on TMG,...even if all I did was verify what you already knew. Poeple from the ASA forum can deal with the ASA side of the story.
You did post this in the Forefront forum, so I answered what I could based on TMG,...even if all I did was verify what you already knew. Poeple from the ASA forum can deal with the ASA side of the story.
ASKER
Thanks for the reply. That was the part I was having problems with, was trying to understand how to route traffic for port 443 on the ASA to multiple IP addresses on the TMG box. I don't think it is possible from one external IP address on the ASA, but was hoping a Cisco person could verify. Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Where the SSL Terminates will vary with the setup. The ISA/TMG can do it in at least 3 different ways. I don't know about the ASA. ISA/TMG can either Bridge the SSL,..Pass-thru the SSL,...or just ignore the SSL and let the Web Server worry about it.
IIS can certainly allow mulltiple sites on the same socket if you add HostHeaders to the Site's config,...although if the sites are SSL I'm not sure if IIS forces a different IP for each Cert.
ISA/TMG will also distinguish based on the HostHeader in its Publishing Rules. ISA/TMG will also allow all the SSL Sites to run on the same socket as long as you do NOT use a Web Server Publishing Rule,...that is,...you use a Non-Web Server Publishing Rule,..meaning there is no Listener and there is no Certificate on the ISA/TMG. Basically it would just "throw everything" at the IIS and let IIS sort it out.
IIS can certainly allow mulltiple sites on the same socket if you add HostHeaders to the Site's config,...although if the sites are SSL I'm not sure if IIS forces a different IP for each Cert.
ISA/TMG will also distinguish based on the HostHeader in its Publishing Rules. ISA/TMG will also allow all the SSL Sites to run on the same socket as long as you do NOT use a Web Server Publishing Rule,...that is,...you use a Non-Web Server Publishing Rule,..meaning there is no Listener and there is no Certificate on the ISA/TMG. Basically it would just "throw everything" at the IIS and let IIS sort it out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IIS can certainly allow mulltiple sites on the same socket if you add HostHeaders to the Site's config,...although if the sites are SSL I'm not sure if IIS forces a different IP for each Cert.
That was a little fuzzy. I had the case in mind where it is a Non-Web Publishing Rule where ISA/TMG wouldn't care about the 1 Cert per 1 IP thing. But IIS might still hit you with the 1 IP per 1 Cert thing,...I'm just not sure how IIS handles that.
That was a little fuzzy. I had the case in mind where it is a Non-Web Publishing Rule where ISA/TMG wouldn't care about the 1 Cert per 1 IP thing. But IIS might still hit you with the 1 IP per 1 Cert thing,...I'm just not sure how IIS handles that.
IIS does force a different IP per SSL site.
Ok, good enough. I wasn't sure about that.
Ok, good enough. I wasn't sure about that.
So I guess the bottom line here is either:
1. SAN or Wildcard Certs are gong to have to be used
OR
2. Get more IP# from the ISP.
1. SAN or Wildcard Certs are gong to have to be used
OR
2. Get more IP# from the ISP.
ASKER
Thanks guys for all of the information. You pretty much confirmed what I was presuming, but just wanted to make sure before I requested more IP's from my ISP. Thanks again.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
The problem is that ASA must forward the traffic to the correct IP# on the TMG based on the Domain Name in the URL. If it can do that then you are fine,...if not then you are probably screwed,...unless you use a SAN Cert or a Wildcard Cert. So your business requirements would have to change.
I don't "do" ASA so I can't help with that.
Unfortuneately, the equipment and the technologies they operate under don't care about arbitrary business requirements,.they only care about reality :-)