Solved

SSL and redirect issues

Posted on 2012-12-21
17
548 Views
Last Modified: 2012-12-24
Ok, this is complicated to describe:

We have our primary web domain on bluehost y.net.  

We have a sub-domain that we redirected from bluehost to a DMZ webserver at our local office.  So the sub-domain is x.y.net.  I can hit the default IIS webpage through HTTP with that, so the redirect is working.

Now, it turns out the previous IT admin also has a redirect from bluehost for our exchange/owa login.  He also had a digicert UCC certificate on it.  Now, I can add the new subdomain to that but then I have two redirects to our external IP with no way to differentiate which HTTPS requests go to which server.  Redirects cannot specify external ports on Bluehost for port forwarding.

We use a Netgear UTM25 firewall and I don't see how to make any rules that can differentiate this traffic.

At first I was going to replace the UCC with a wildcard and consolidate everything, but that still doesn't solve my HTTPS routing problem.

The solutions I have come up with:

1. Specify second external IP on the second WAN port, but I am not sure that won't cause issues with internal routing as the web server has to communicate with our DNS and an SQL server through port forwards.

2. Remove the sub-domain for the exchange server and make the connection instead through an external port forward, but I am not sure that will alleviate the HTTPS confusion.

Any thoughts?
0
Comment
Question by:gmanry
  • 11
  • 6
17 Comments
 
LVL 6

Expert Comment

by:traoher
ID: 38714820
Why not just change the DNS record of your exchange to point to your external IP that is NATed for your exchange?

Blue controls your DNS record so you will need to login and change it or open a ticket to have them change it.
0
 

Author Comment

by:gmanry
ID: 38714828
The bluehost record does point to that address.

The record for the new subdomain points at our web IP and then redirects to our external IP.  The result is that they are still pointing at the same external IP.  

So, when an HTTPS request comes in it automatically wants to go to the exchange server, and I don't see a way in the Netgear gateway to break that down any further.  Redirects don't allow for port specifications and neither do DNS records.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38714838
are the back end hosts are two different hosts?

If so, not possible unless you have port forwarding; but the session request must include the port information.  

If it is on the same host, a host header can easily take care of it, only requirement is that the FQDN must be used in making the connection.

I would recommend double checking your DNS records and your NAT table.
0
 

Author Comment

by:gmanry
ID: 38714849
That is how it is looking to me.  I think my best bet will be to put the exchange access on a port forwarded setup.  I don't know why the previous admin created a whole subdomain to handle that, when it doesn't have to be listed on the organizations webpage.

What about using a second external IP on the second WAN port for the new sub-domain?
0
 

Author Comment

by:gmanry
ID: 38714856
Right now, the Netgear is set to redirect any general HTTPS not port specified to the exchange server.

When the redirects come in, will they be through bluehost or will they be from the originating computer?  If they are from bluehost, then I can use a port forward to redirect those to the webserver.

I am not clear on whether bluehost plays intermediary or just passes it on.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38714862
Yes, but I would recommend you to find out all the NAT rules that was created.

What WAN IP were used, how many still available, what was NATed, etc.

Try to have a full understanding of what was in placed before creating a new topology.
0
 

Author Comment

by:gmanry
ID: 38714866
I thought I did, but apparently not.  I am getting that information together.

Do, you think it would be better to use a second WAN IP or to demote the exchange sub-domain to a NAT scheme?

I really appreciate the feedback.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38714874
Figure out the information and topology, repost it and i will then make some recommendation.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:gmanry
ID: 38714876
Fair enough.
0
 

Author Comment

by:gmanry
ID: 38715958
Ok, I have attached a PDF file that lays out our topology and I have double checked the NAT rules.
Topology.pdf
0
 
LVL 6

Accepted Solution

by:
traoher earned 500 total points
ID: 38716087
Thank you for posting the topology.  

From your the information you provided, there are a number of things you would want to accomplish.

1.  Single certficates for multiple servers.  That's an easy problem, you just need to buy a unified communication certificate with multiple common names (aka SAN Cert).  With it you can install it on multiple servers.  The exception is your exchange, one of the name on the cert must match exactly your exchange server computername.

In regard to your networking issue:  

I haven't deployed the type of gateway appliance you have, however, most of the edge devices such routers/firewalls are built much the same say.

capabilities of these devices:

1.  1:1 NAT (aka static NAT); it is a one-to-one NAT such that 1 LANIP -maps-to -1WANIP
2.  1:many NAT (aka PAT), it is a port mapping and allows more than one computer from the LAN to use the external WANIP.

Also, your ISP normally assigns IP in block of 2,6,14,30 with usable IP being 1,5,13, 29 because they always take one for the gateway IP, so at mininum, so check with your ISP for your IP block and how many you got.

If you can create a 1:1 NAT for your exchange, do so; your inbound firewall rules for the exchange will require at least two inbound types of connections:
1.  tcp 25 for mail delivery
2.  tcp 443 for https connection to owa diretory
3.  change your mx record to match the new NAT rule.
4.  change your DNS record for external resolution to match the new NAT rule

If you cannot create 1:1 NAT, then you must use port forwarding rules.  However, port forwarding rules base on destination ports will only work if the ports being used are unique.
0
 

Author Comment

by:gmanry
ID: 38716137
So, when I look at my MX record it is actually set to mail.domain.net instead of exchange.domain.net.

The current UCC/SANS covers that domain as well.

I am stepping into somebody else's mess.  

Ok, so from what I am gathering of your response, using a second WAN IP would be the way to go and then work the NAT rules to route the traffic.

We do have some other external IPs still available.
0
 

Author Comment

by:gmanry
ID: 38716236
I have configured the UTM25 for load balancing across the two external IPs.  

1. SMTP is already configured to point at the exchange.
2. HTTPS as well
3. For some reason the MX record is pointed at mail.domain.net, I don't know why.  I will change it to exchange.domain.net.  Though if it is set incorrectly here and now, what effect is it having?
4. The DNS record on Bluehost is already set and pointing the exchange domain at our first external IP.

I am probably a level above my knowledgebase here.  I do understand what these things are, but I have not had to configure them like this before.  More explicit help would be greatly appreciated.
0
 
LVL 6

Expert Comment

by:traoher
ID: 38716376
No, do not change your mx records unless it is broken.  mx records points to mail.company.com is usually the default configuration.

Your problem is not your dns or mx record, your problem is your NAT or the lack of.

So if you have only a single IP, your only option is to get a more IP from your ISP and then configure proper NAT rules. (unless you want to do port forwarding as described above).
0
 

Author Comment

by:gmanry
ID: 38719051
Ok,

So this is what I have so far:

1. Bluehost DNS is now pointed at secondary WAN IP
2. Bluehost redirect is pointed at subdomain.domain.net (this mirrors how our exchange DNS and redirect are set up, which seem to work fine).
3. Now I have to work on the NAT rules.
4. Then I have to incorporate the subdomain into the UCC/SANS certificate.

I really appreciate your help.  I, hopefully, will be closing this question soon.  Thanks again, and happy holidays.
0
 

Author Comment

by:gmanry
ID: 38719358
Ok,

I think I got it up and running now.

Thanks for your help Traoher.  I will ask a new question if I need further assistance.
0
 

Author Closing Comment

by:gmanry
ID: 38719363
It was a combination of NAT and DNS record issues plus somebody who isn't as skilled in the mounting HTTPS websites department as he would like to be. :)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now