Re: SSL on multiple sites in a virtually hosted WinServer 2003 - SOLVED!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance


"Electric Bliss" <tonyz@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:45fefcd4$0$498$815e3792@xxxxxxxxxxxxxxxxx
Greetings,

I have searched long and hard and I still don't know the best solution. I
hope someone can help.

Here's my current situation:

I have a block of 5 public ip addresses. I have a Cisco 670 doing PPoE
with my ISP and its address is the public gateway.

I have a Linksys firewall connected to the Cisco and its wan port is set
to one of the public ip addresses.

I have a Windows 2003 web server behind the Linksys. I am forwarding HTTP
and SSL to it.

I am hosting several websites (virtually with host headers) on the server.


Here is my current challenge:

This setup works fine for only one SSL enabled site. If I enable another
site for SSL over port 443 then IIS uses the certificate from the first
site. The user then sees that the cert isn't correct, as it's pointing to
the wrong site's cert.

As a quick work-around I have forwarded another port to the server and am
using that for the second site's SSL. This works fine EXCEPT that some
users have a firewall that blocks SSL activity on ports that aren't 443.


Here is my attempted solution:

Installed a second Linksys router and set its wan ip address to another
one of my public ip addresses. (Both routers are now plugged into a small
switch with the cisco each of their wan addresses is a different public
ip.)

Installed a second nic for my server and plug it into the second Linksys.
So here is what the topology looks like:

ISP
|
|
Cisco 670 (ip address is public gateway)
|
|
4-port switch -----|
| |
| |
Linksys1 Linksys2
(wan public ip1) (wan public ip2)
(lan 192.168.44.1) (lan 192.168.55.2)
| |
| |
Server nic 1 Server nic 2

Now I can set my second site to respond to HTTP and SSL requests on the
second nic (with the standard SSL port). This works fine, EXCEPT my
websites now intermittently "vanish" from outside hosts.

The only reason I can think this would be happening is that Windows isn't
capable of having more than one gateway. So it will establish a session on
one of the nics but it gets confused as to which gateway to send the
packets back out on. (I have no idea if this is the problem or not but the
fact is this solution isn't working and I would love to know why.)

Seems to me that Windows should recognize that a connection was
established on a particular nic and it should send the packets (that
belong to that session) back through the nic they came in on, through its
gateway (the corresponding Linksys), and out to the client.

Someone told me that there is no way to do this and that I'd have to make
my server a bastion host so that I have only ONE nic, with multiple public
addresses assigned to it, and only ONE default gateway (the cisco's ip#
(the public gateway address)).

I have avoided the bastion host solution because I want my server to be
behind a hardware firewall.

So here are my current questions:

1. Is my current solution just a pipe-dream? Is this even do-able? If so,
why are my websites vanishing? What am I missing in my setup to make this
happen?

2. Someone mentioned Sonicwall TZ 170 might be a (costly) solution. Is
there a hardware/firewall/router/gateway that does nat with multiple
public ip addresses that would solve this?

3. An even better question than those might be: what is the best solution
for what I am trying to do?

Sincerely,

Tony




Greetings,

I just wanted to update the thread on my final solution.

The "ZyXEL Prestige 334 Broadband Router with Firewall" was NOT the
solution. It does have MultiNAT but it forwards all the ports to the inside
address.

The "Zyxel ZYWALL 2X FIREWALL+ VPN ROUTER Internet Security Gateway for
Tele-Home" is the solution. It has MutiNAT and it allows you to setup
firewall rules so that only the ports you want exposed will be open.

I am very satisfied with the unit and have purchased another one as a
backup.

Hope this helps anyone looking for the same solution.


.

Relevant Pages

  • SSL on multiple sites in a virtually hosted WinServer 2003
    ... my ISP and its address is the public gateway. ... I am hosting several websites on the server. ... This setup works fine for only one SSL enabled site. ... one of the nics but it gets confused as to which gateway to send the packets ...
    (microsoft.public.windows.server.networking)
  • Re: SBS with 2 nic installed for usage for 2 SSL sites
    ... that you want to use a different IP for each SSL website so that you can ... use port 443 on both of them. ... Yes, two NICs and two gateways which works on win-xp, win2k3 and even ...
    (microsoft.public.windows.server.sbs)
  • SBS with 2 nic installed for usage for 2 SSL sites
    ... I am running a standard sbs2k3 server, with two SSL sites. ... One site is on the default port and the other is on 4043. ... It seems to me that sbs is routing the request back to the gateway attached ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS with 2 nic installed for usage for 2 SSL sites
    ... you want to use a different IP for each SSL website so that you can use port ... You are correct that Host headers on SSL don't work ... with either two external NICs or two external IPs on a single NIC, ... One site is on the default port and the other is on 4043. ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant ping my PC from the internet
    ... the LAN NIC should not be assigned a default gateway. ... The client setup a Windows 2003 server with two NICs, one for Internet access one for the LAN ... ... At this point I'm unable to connect to any services on the 100mb port, and up until my last settings changes and reboot I was not even able to ping the 100mb port. ...
    (microsoft.public.windowsxp.network_web)