Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 566
  • Last Modified:

SSL and redirect issues

Ok, this is complicated to describe:

We have our primary web domain on bluehost y.net.  

We have a sub-domain that we redirected from bluehost to a DMZ webserver at our local office.  So the sub-domain is x.y.net.  I can hit the default IIS webpage through HTTP with that, so the redirect is working.

Now, it turns out the previous IT admin also has a redirect from bluehost for our exchange/owa login.  He also had a digicert UCC certificate on it.  Now, I can add the new subdomain to that but then I have two redirects to our external IP with no way to differentiate which HTTPS requests go to which server.  Redirects cannot specify external ports on Bluehost for port forwarding.

We use a Netgear UTM25 firewall and I don't see how to make any rules that can differentiate this traffic.

At first I was going to replace the UCC with a wildcard and consolidate everything, but that still doesn't solve my HTTPS routing problem.

The solutions I have come up with:

1. Specify second external IP on the second WAN port, but I am not sure that won't cause issues with internal routing as the web server has to communicate with our DNS and an SQL server through port forwards.

2. Remove the sub-domain for the exchange server and make the connection instead through an external port forward, but I am not sure that will alleviate the HTTPS confusion.

Any thoughts?
0
gmanry
Asked:
gmanry
  • 11
  • 6
1 Solution
 
traoherCommented:
Why not just change the DNS record of your exchange to point to your external IP that is NATed for your exchange?

Blue controls your DNS record so you will need to login and change it or open a ticket to have them change it.
0
 
gmanryAuthor Commented:
The bluehost record does point to that address.

The record for the new subdomain points at our web IP and then redirects to our external IP.  The result is that they are still pointing at the same external IP.  

So, when an HTTPS request comes in it automatically wants to go to the exchange server, and I don't see a way in the Netgear gateway to break that down any further.  Redirects don't allow for port specifications and neither do DNS records.
0
 
traoherCommented:
are the back end hosts are two different hosts?

If so, not possible unless you have port forwarding; but the session request must include the port information.  

If it is on the same host, a host header can easily take care of it, only requirement is that the FQDN must be used in making the connection.

I would recommend double checking your DNS records and your NAT table.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
gmanryAuthor Commented:
That is how it is looking to me.  I think my best bet will be to put the exchange access on a port forwarded setup.  I don't know why the previous admin created a whole subdomain to handle that, when it doesn't have to be listed on the organizations webpage.

What about using a second external IP on the second WAN port for the new sub-domain?
0
 
gmanryAuthor Commented:
Right now, the Netgear is set to redirect any general HTTPS not port specified to the exchange server.

When the redirects come in, will they be through bluehost or will they be from the originating computer?  If they are from bluehost, then I can use a port forward to redirect those to the webserver.

I am not clear on whether bluehost plays intermediary or just passes it on.
0
 
traoherCommented:
Yes, but I would recommend you to find out all the NAT rules that was created.

What WAN IP were used, how many still available, what was NATed, etc.

Try to have a full understanding of what was in placed before creating a new topology.
0
 
gmanryAuthor Commented:
I thought I did, but apparently not.  I am getting that information together.

Do, you think it would be better to use a second WAN IP or to demote the exchange sub-domain to a NAT scheme?

I really appreciate the feedback.
0
 
traoherCommented:
Figure out the information and topology, repost it and i will then make some recommendation.
0
 
gmanryAuthor Commented:
Fair enough.
0
 
gmanryAuthor Commented:
Ok, I have attached a PDF file that lays out our topology and I have double checked the NAT rules.
Topology.pdf
0
 
traoherCommented:
Thank you for posting the topology.  

From your the information you provided, there are a number of things you would want to accomplish.

1.  Single certficates for multiple servers.  That's an easy problem, you just need to buy a unified communication certificate with multiple common names (aka SAN Cert).  With it you can install it on multiple servers.  The exception is your exchange, one of the name on the cert must match exactly your exchange server computername.

In regard to your networking issue:  

I haven't deployed the type of gateway appliance you have, however, most of the edge devices such routers/firewalls are built much the same say.

capabilities of these devices:

1.  1:1 NAT (aka static NAT); it is a one-to-one NAT such that 1 LANIP -maps-to -1WANIP
2.  1:many NAT (aka PAT), it is a port mapping and allows more than one computer from the LAN to use the external WANIP.

Also, your ISP normally assigns IP in block of 2,6,14,30 with usable IP being 1,5,13, 29 because they always take one for the gateway IP, so at mininum, so check with your ISP for your IP block and how many you got.

If you can create a 1:1 NAT for your exchange, do so; your inbound firewall rules for the exchange will require at least two inbound types of connections:
1.  tcp 25 for mail delivery
2.  tcp 443 for https connection to owa diretory
3.  change your mx record to match the new NAT rule.
4.  change your DNS record for external resolution to match the new NAT rule

If you cannot create 1:1 NAT, then you must use port forwarding rules.  However, port forwarding rules base on destination ports will only work if the ports being used are unique.
0
 
gmanryAuthor Commented:
So, when I look at my MX record it is actually set to mail.domain.net instead of exchange.domain.net.

The current UCC/SANS covers that domain as well.

I am stepping into somebody else's mess.  

Ok, so from what I am gathering of your response, using a second WAN IP would be the way to go and then work the NAT rules to route the traffic.

We do have some other external IPs still available.
0
 
gmanryAuthor Commented:
I have configured the UTM25 for load balancing across the two external IPs.  

1. SMTP is already configured to point at the exchange.
2. HTTPS as well
3. For some reason the MX record is pointed at mail.domain.net, I don't know why.  I will change it to exchange.domain.net.  Though if it is set incorrectly here and now, what effect is it having?
4. The DNS record on Bluehost is already set and pointing the exchange domain at our first external IP.

I am probably a level above my knowledgebase here.  I do understand what these things are, but I have not had to configure them like this before.  More explicit help would be greatly appreciated.
0
 
traoherCommented:
No, do not change your mx records unless it is broken.  mx records points to mail.company.com is usually the default configuration.

Your problem is not your dns or mx record, your problem is your NAT or the lack of.

So if you have only a single IP, your only option is to get a more IP from your ISP and then configure proper NAT rules. (unless you want to do port forwarding as described above).
0
 
gmanryAuthor Commented:
Ok,

So this is what I have so far:

1. Bluehost DNS is now pointed at secondary WAN IP
2. Bluehost redirect is pointed at subdomain.domain.net (this mirrors how our exchange DNS and redirect are set up, which seem to work fine).
3. Now I have to work on the NAT rules.
4. Then I have to incorporate the subdomain into the UCC/SANS certificate.

I really appreciate your help.  I, hopefully, will be closing this question soon.  Thanks again, and happy holidays.
0
 
gmanryAuthor Commented:
Ok,

I think I got it up and running now.

Thanks for your help Traoher.  I will ask a new question if I need further assistance.
0
 
gmanryAuthor Commented:
It was a combination of NAT and DNS record issues plus somebody who isn't as skilled in the mounting HTTPS websites department as he would like to be. :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 11
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now