Solved

SSL and redirect issues

Posted on 2012-12-21
17
550 Views
Last Modified: 2012-12-24
Ok, this is complicated to describe:

We have our primary web domain on bluehost y.net.  

We have a sub-domain that we redirected from bluehost to a DMZ webserver at our local office.  So the sub-domain is x.y.net.  I can hit the default IIS webpage through HTTP with that, so the redirect is working.

Now, it turns out the previous IT admin also has a redirect from bluehost for our exchange/owa login.  He also had a digicert UCC certificate on it.  Now, I can add the new subdomain to that but then I have two redirects to our external IP with no way to differentiate which HTTPS requests go to which server.  Redirects cannot specify external ports on Bluehost for port forwarding.

We use a Netgear UTM25 firewall and I don't see how to make any rules that can differentiate this traffic.

At first I was going to replace the UCC with a wildcard and consolidate everything, but that still doesn't solve my HTTPS routing problem.

The solutions I have come up with:

1. Specify second external IP on the second WAN port, but I am not sure that won't cause issues with internal routing as the web server has to communicate with our DNS and an SQL server through port forwards.

2. Remove the sub-domain for the exchange server and make the connection instead through an external port forward, but I am not sure that will alleviate the HTTPS confusion.

Any thoughts?
0
Comment
Question by:gmanry
  • 11
  • 6
17 Comments
 
LVL 6

Expert Comment

by:traoher
ID: 38714820
Why not just change the DNS record of your exchange to point to your external IP that is NATed for your exchange?

Blue controls your DNS record so you will need to login and change it or open a ticket to have them change it.
0
 

Author Comment

by:gmanry
ID: 38714828
The bluehost record does point to that address.

The record for the new subdomain points at our web IP and then redirects to our external IP.  The result is that they are still pointing at the same external IP.  

So, when an HTTPS request comes in it automatically wants to go to the exchange server, and I don't see a way in the Netgear gateway to break that down any further.  Redirects don't allow for port specifications and neither do DNS records.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38714838
are the back end hosts are two different hosts?

If so, not possible unless you have port forwarding; but the session request must include the port information.  

If it is on the same host, a host header can easily take care of it, only requirement is that the FQDN must be used in making the connection.

I would recommend double checking your DNS records and your NAT table.
0
 

Author Comment

by:gmanry
ID: 38714849
That is how it is looking to me.  I think my best bet will be to put the exchange access on a port forwarded setup.  I don't know why the previous admin created a whole subdomain to handle that, when it doesn't have to be listed on the organizations webpage.

What about using a second external IP on the second WAN port for the new sub-domain?
0
 

Author Comment

by:gmanry
ID: 38714856
Right now, the Netgear is set to redirect any general HTTPS not port specified to the exchange server.

When the redirects come in, will they be through bluehost or will they be from the originating computer?  If they are from bluehost, then I can use a port forward to redirect those to the webserver.

I am not clear on whether bluehost plays intermediary or just passes it on.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38714862
Yes, but I would recommend you to find out all the NAT rules that was created.

What WAN IP were used, how many still available, what was NATed, etc.

Try to have a full understanding of what was in placed before creating a new topology.
0
 

Author Comment

by:gmanry
ID: 38714866
I thought I did, but apparently not.  I am getting that information together.

Do, you think it would be better to use a second WAN IP or to demote the exchange sub-domain to a NAT scheme?

I really appreciate the feedback.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38714874
Figure out the information and topology, repost it and i will then make some recommendation.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:gmanry
ID: 38714876
Fair enough.
0
 

Author Comment

by:gmanry
ID: 38715958
Ok, I have attached a PDF file that lays out our topology and I have double checked the NAT rules.
Topology.pdf
0
 
LVL 6

Accepted Solution

by:
traoher earned 500 total points
ID: 38716087
Thank you for posting the topology.  

From your the information you provided, there are a number of things you would want to accomplish.

1.  Single certficates for multiple servers.  That's an easy problem, you just need to buy a unified communication certificate with multiple common names (aka SAN Cert).  With it you can install it on multiple servers.  The exception is your exchange, one of the name on the cert must match exactly your exchange server computername.

In regard to your networking issue:  

I haven't deployed the type of gateway appliance you have, however, most of the edge devices such routers/firewalls are built much the same say.

capabilities of these devices:

1.  1:1 NAT (aka static NAT); it is a one-to-one NAT such that 1 LANIP -maps-to -1WANIP
2.  1:many NAT (aka PAT), it is a port mapping and allows more than one computer from the LAN to use the external WANIP.

Also, your ISP normally assigns IP in block of 2,6,14,30 with usable IP being 1,5,13, 29 because they always take one for the gateway IP, so at mininum, so check with your ISP for your IP block and how many you got.

If you can create a 1:1 NAT for your exchange, do so; your inbound firewall rules for the exchange will require at least two inbound types of connections:
1.  tcp 25 for mail delivery
2.  tcp 443 for https connection to owa diretory
3.  change your mx record to match the new NAT rule.
4.  change your DNS record for external resolution to match the new NAT rule

If you cannot create 1:1 NAT, then you must use port forwarding rules.  However, port forwarding rules base on destination ports will only work if the ports being used are unique.
0
 

Author Comment

by:gmanry
ID: 38716137
So, when I look at my MX record it is actually set to mail.domain.net instead of exchange.domain.net.

The current UCC/SANS covers that domain as well.

I am stepping into somebody else's mess.  

Ok, so from what I am gathering of your response, using a second WAN IP would be the way to go and then work the NAT rules to route the traffic.

We do have some other external IPs still available.
0
 

Author Comment

by:gmanry
ID: 38716236
I have configured the UTM25 for load balancing across the two external IPs.  

1. SMTP is already configured to point at the exchange.
2. HTTPS as well
3. For some reason the MX record is pointed at mail.domain.net, I don't know why.  I will change it to exchange.domain.net.  Though if it is set incorrectly here and now, what effect is it having?
4. The DNS record on Bluehost is already set and pointing the exchange domain at our first external IP.

I am probably a level above my knowledgebase here.  I do understand what these things are, but I have not had to configure them like this before.  More explicit help would be greatly appreciated.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38716376
No, do not change your mx records unless it is broken.  mx records points to mail.company.com is usually the default configuration.

Your problem is not your dns or mx record, your problem is your NAT or the lack of.

So if you have only a single IP, your only option is to get a more IP from your ISP and then configure proper NAT rules. (unless you want to do port forwarding as described above).
0
 

Author Comment

by:gmanry
ID: 38719051
Ok,

So this is what I have so far:

1. Bluehost DNS is now pointed at secondary WAN IP
2. Bluehost redirect is pointed at subdomain.domain.net (this mirrors how our exchange DNS and redirect are set up, which seem to work fine).
3. Now I have to work on the NAT rules.
4. Then I have to incorporate the subdomain into the UCC/SANS certificate.

I really appreciate your help.  I, hopefully, will be closing this question soon.  Thanks again, and happy holidays.
0
 

Author Comment

by:gmanry
ID: 38719358
Ok,

I think I got it up and running now.

Thanks for your help Traoher.  I will ask a new question if I need further assistance.
0
 

Author Closing Comment

by:gmanry
ID: 38719363
It was a combination of NAT and DNS record issues plus somebody who isn't as skilled in the mounting HTTPS websites department as he would like to be. :)
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Application launch issue with Apache Tomcat 5 23
How to trouble shoot .net contact form 3 39
Http hosting redirect issue 2 39
Link SQL table to Webpage 9 52
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now