Reverse proxy and self signed SSL Certificate

I am running an internal web server which has the public DNS https://xyz.com
This is accesible via our reverse proxy server (Apache) http://proxyserver.com

I have the problem when external users go to  https://xyz.com, and try to install the self signed cerificate into the trusted root certificates for Internet explorer they are issued with the certifcate from our reverse proxy http://proxyserver.com

I know this works because on my home pc (outside of work, Vista) I am issued with the certificate from https://xyz.com.  

So here are the steps
User uses IE and enters in https://xyz.com, they get a certifcate error, they then click on view certificates and see that the certifcate is for proxyserver.com ,not xyz.com.
Of course when they try to install the certifcate correctly everytime they go to xyz.com they will get the certificate error.
LVL 1
IandINSWAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ACECORPCommented:
I believe that the only way you can fix the issue is to modify your architecture.

I would advise the following...

If a user tries to access http://xyz.com the public address for http://xyz.com must be an IP address associated with the apache instance for xyz.com on your reverse proxy server (you will have a ton of them).

When the external user hits that reverse proxy apache site, your reverse proxy server apache site will then execute a re-write rule to re-write your request to the proper internal server inside your network.

The external user's web browser will never see or know about this re-write rule because they are interacting with http://xyz.com on your reverse proxy server. Not with http://myinternalwebsite.local thats inside your network.

The SSL Certificate for xyz.com must sit on the reverse proxy server's apache site for xyz.com
IandINSWAuthor Commented:
The strange thing is I am issued the right certificate on some computers and not on others!!! :(
On one machine using Windows server 2008 R2 IE 9.0 I get the certificate for xyz.com.
On another machine WIn 7 Ultimate IE9.08 they are getting the proxyserver.com certificate.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

ACECORPCommented:
You may need to trace out the traffic at the packet level using a sniffer to get to the bottom of the situation.
IandINSWAuthor Commented:
Packet sniffer just takes it to another level which will not help me as I can not read or understand the results.  I did find on the IE 9.0 this fixed the problem.  Tools --> Options --> Advanced TAB in the SSL options, I made sure only SSL 3.0 was selected, but on IE 8.0 on the XP machine the problem is still occuring! :(
IandINSWAuthor Commented:
I found out that on some computers it is an IIE setting for SSL certificates.
Tools --> Internet options --> Advanced TAB, Use SSL3.0 only tick selected and untick Use SSl 2.0. Fixed it on some.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IandINSWAuthor Commented:
I resolved it so only good.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.