• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 429
  • Last Modified:

Routing to multiple SSL sites

Hi, we're trying to find a way to clean up the way we are doing business. Currently we have several different sites and applications that require an SSL. We use a seperate router (and public address) to redirect 443 traffic to the appropriate internal server or machine that has the SSL. We would like to get down to one router, server or appliance and still have all of the traffic directed to the appropriate server that has the site or application SSL assigned. Can this be done with a router or sonicwall-type appliance, proxy server, IIS host headers, server on the DMZ side, or is their an application that can be used? I would prefer a way to keep the machine on the inside and have the router direct traffic to it. Thanks in advance for your ideas.

Thanks,
Jay
0
OGDITAdmin
Asked:
OGDITAdmin
  • 2
1 Solution
 
Paul MacDonaldDirector, Information SystemsCommented:
One business-class router using NAT is capable of routing your traffic appropriately.  You would create rules in the router to forward SSL traffic for a particular public IP address to an internal IP addresses.
0
 
Frosty555Commented:
Having multiple public addresses (e.g. a block of addresses) is the easiest way to do the routing - one public address per server. In taht case what Paulmacd said is correct - a good business class router can handle that.

However if your intention is to save money by having just ONE public IP and you have multiple internal webservers that need to be served... you will run into some trouble. Routers only route by IP address. They CANNOT forward traffic based on the hostname used to resolve the site, so port 443 traffic can only be directed to a single webserver.

In that case, a potential tool to keep in your bag of tricks is a "reverse proxy". Essentially a single, dedicated server which is responsible for accepting ALL port 443 traffic, and forwarding it onwards to the correct internal webserver based on hostname.

A reverse proxy is implemented by Apache in your favourite flavor of linux. I'm sure IIS probably has an implementation of it as well but I don't have experience there.

See Apache Reverse Proxy - http://www.apachetutor.org/admin/reverseproxies
0
 
OGDITAdminAuthor Commented:
Thanks Paulmacd and Frosty555 for your input. Paul, I have a question. Can you assign multiple public IP addresses to the WAN port of the router? What router would you recommend? We are looking at a Sonicwall NSA2400, but are open to anything.

Thanks,
Jay
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Most routers that aren't for home use will let you configure them for multiple IP addresses.  This is typically in the form of a range of contiguous addresses (1.2.3.1 - 1.2.3.254, say).

I've only ever used Cisco routers, but they should all function more or less equally.  I currently use a pair of Cisco 5510's and are very happy with them.  That said, my Cisco doesn't have the packet inspection capabilities your SonicWall has.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now