SSL on multiple sites in a virtually hosted WinServer 2003

Greetings,

I have searched long and hard and I still don't know the best solution. I
hope someone can help.

Here's my current situation:

I have a block of 5 public ip addresses. I have a Cisco 670 doing PPoE with
my ISP and its address is the public gateway.

I have a Linksys firewall connected to the Cisco and its wan port is set to
one of the public ip addresses.

I have a Windows 2003 web server behind the Linksys. I am forwarding HTTP
and SSL to it.

I am hosting several websites (virtually with host headers) on the server.


Here is my current challenge:

This setup works fine for only one SSL enabled site. If I enable another
site for SSL over port 443 then IIS uses the certificate from the first
site. The user then sees that the cert isn't correct, as it's pointing to
the wrong site's cert.

As a quick work-around I have forwarded another port to the server and am
using that for the second site's SSL. This works fine EXCEPT that some users
have a firewall that blocks SSL activity on ports that aren't 443.


Here is my attempted solution:

Installed a second Linksys router and set its wan ip address to another one
of my public ip addresses. (Both routers are now plugged into a small switch
with the cisco each of their wan addresses is a different public ip.)

Installed a second nic for my server and plug it into the second Linksys. So
here is what the topology looks like:

ISP
|
|
Cisco 670 (ip address is public gateway)
|
|
4-port switch -----|
| |
| |
Linksys1 Linksys2
(wan public ip1) (wan public ip2)
(lan 192.168.44.1) (lan 192.168.55.2)
| |
| |
Server nic 1 Server nic 2

Now I can set my second site to respond to HTTP and SSL requests on the
second nic (with the standard SSL port). This works fine, EXCEPT my websites
now intermittently "vanish" from outside hosts.

The only reason I can think this would be happening is that Windows isn't
capable of having more than one gateway. So it will establish a session on
one of the nics but it gets confused as to which gateway to send the packets
back out on. (I have no idea if this is the problem or not but the fact is
this solution isn't working and I would love to know why.)

Seems to me that Windows should recognize that a connection was established
on a particular nic and it should send the packets (that belong to that
session) back through the nic they came in on, through its gateway (the
corresponding Linksys), and out to the client.

Someone told me that there is no way to do this and that I'd have to make my
server a bastion host so that I have only ONE nic, with multiple public
addresses assigned to it, and only ONE default gateway (the cisco's ip# (the
public gateway address)).

I have avoided the bastion host solution because I want my server to be
behind a hardware firewall.

So here are my current questions:

1. Is my current solution just a pipe-dream? Is this even do-able? If so,
why are my websites vanishing? What am I missing in my setup to make this
happen?

2. Someone mentioned Sonicwall TZ 170 might be a (costly) solution. Is there
a hardware/firewall/router/gateway that does nat with multiple public ip
addresses that would solve this?

3. An even better question than those might be: what is the best solution
for what I am trying to do?

Sincerely,

Tony

Hello,

You cannot use the Linksys routers.
You have to map the public IP's via NAT to the Private ones Use the Cisco
for this and eliminate the rest of the LAN.

Cisco should NAT and port NAT to the service running on each server.

example: In the router that is allocated all public IP's look for an option
to map the external IP to the internal IP and also what port it is on.

Also you have to diable socket pooling in Windows.
http://support.microsoft.com/kb/813368/

There is no need for the Linksys.

Joe



"Electric Bliss" wrote:

> Greetings,
>
> I have searched long and hard and I still don't know the best solution. I
> hope someone can help.
>
> Here's my current situation:
>
> I have a block of 5 public ip addresses. I have a Cisco 670 doing PPoE with
> my ISP and its address is the public gateway.
>
> I have a Linksys firewall connected to the Cisco and its wan port is set to
> one of the public ip addresses.
>
> I have a Windows 2003 web server behind the Linksys. I am forwarding HTTP
> and SSL to it.
>
> I am hosting several websites (virtually with host headers) on the server.
>
>
> Here is my current challenge:
>
> This setup works fine for only one SSL enabled site. If I enable another
> site for SSL over port 443 then IIS uses the certificate from the first
> site. The user then sees that the cert isn't correct, as it's pointing to
> the wrong site's cert.
>
> As a quick work-around I have forwarded another port to the server and am
> using that for the second site's SSL. This works fine EXCEPT that some users
> have a firewall that blocks SSL activity on ports that aren't 443.
>
>
> Here is my attempted solution:
>
> Installed a second Linksys router and set its wan ip address to another one
> of my public ip addresses. (Both routers are now plugged into a small switch
> with the cisco each of their wan addresses is a different public ip.)
>
> Installed a second nic for my server and plug it into the second Linksys. So
> here is what the topology looks like:
>
> ISP
> |
> |
> Cisco 670 (ip address is public gateway)
> |
> |
> 4-port switch -----|
> | |
> | |
> Linksys1 Linksys2
> (wan public ip1) (wan public ip2)
> (lan 192.168.44.1) (lan 192.168.55.2)
> | |
> | |
> Server nic 1 Server nic 2
>
> Now I can set my second site to respond to HTTP and SSL requests on the
> second nic (with the standard SSL port). This works fine, EXCEPT my websites
> now intermittently "vanish" from outside hosts.
>
> The only reason I can think this would be happening is that Windows isn't
> capable of having more than one gateway. So it will establish a session on
> one of the nics but it gets confused as to which gateway to send the packets
> back out on. (I have no idea if this is the problem or not but the fact is
> this solution isn't working and I would love to know why.)
>
> Seems to me that Windows should recognize that a connection was established
> on a particular nic and it should send the packets (that belong to that
> session) back through the nic they came in on, through its gateway (the
> corresponding Linksys), and out to the client.
>
> Someone told me that there is no way to do this and that I'd have to make my
> server a bastion host so that I have only ONE nic, with multiple public
> addresses assigned to it, and only ONE default gateway (the cisco's ip# (the
> public gateway address)).
>
> I have avoided the bastion host solution because I want my server to be
> behind a hardware firewall.
>
> So here are my current questions:
>
> 1. Is my current solution just a pipe-dream? Is this even do-able? If so,
> why are my websites vanishing? What am I missing in my setup to make this
> happen?
>
> 2. Someone mentioned Sonicwall TZ 170 might be a (costly) solution. Is there
> a hardware/firewall/router/gateway that does nat with multiple public ip
> addresses that would solve this?
>
> 3. An even better question than those might be: what is the best solution
> for what I am trying to do?
>
> Sincerely,
>
> Tony
>
>
>

Hello,

The type of NAT that you are looking for is called one-to-one with P-NAT
Add the private IP to the server NIC that you want to have that address and
manually set the IP in the NIC card properties. Now in IIS MMC set the
Virtual server to listen on that IP do not leave it (all unassigned).

Do the same for the other server.
You can leave the switch if you want to but that isn't neccessary either.

You can do a lot with this type of setup. You can run 2 DNS,
2MX/mailservers, and shared and dedicated hosting This is a nice setup enjoy.


Here is a high end router that will do just that.

http://www.sonicwall.com/us/support/289_3690.html

However your Cisco should also. Basically you are telling the router where
your services are and what they want open.And telling your servers what to
listen for ;-)

Joe

"Joe" wrote:

> Hello,
>
> You cannot use the Linksys routers.
> You have to map the public IP's via NAT to the Private ones Use the Cisco
> for this and eliminate the rest of the LAN.
>
> Cisco should NAT and port NAT to the service running on each server.
>
> example: In the router that is allocated all public IP's look for an option
> to map the external IP to the internal IP and also what port it is on.
>
> Also you have to diable socket pooling in Windows.
> http://support.microsoft.com/kb/813368/
>
> There is no need for the Linksys.
>
> Joe
>
>
>
> "Electric Bliss" wrote:
>
> > Greetings,
> >
> > I have searched long and hard and I still don't know the best solution. I
> > hope someone can help.
> >
> > Here's my current situation:
> >
> > I have a block of 5 public ip addresses. I have a Cisco 670 doing PPoE with
> > my ISP and its address is the public gateway.
> >
> > I have a Linksys firewall connected to the Cisco and its wan port is set to
> > one of the public ip addresses.
> >
> > I have a Windows 2003 web server behind the Linksys. I am forwarding HTTP
> > and SSL to it.
> >
> > I am hosting several websites (virtually with host headers) on the server.
> >
> >
> > Here is my current challenge:
> >
> > This setup works fine for only one SSL enabled site. If I enable another
> > site for SSL over port 443 then IIS uses the certificate from the first
> > site. The user then sees that the cert isn't correct, as it's pointing to
> > the wrong site's cert.
> >
> > As a quick work-around I have forwarded another port to the server and am
> > using that for the second site's SSL. This works fine EXCEPT that some users
> > have a firewall that blocks SSL activity on ports that aren't 443.
> >
> >
> > Here is my attempted solution:
> >
> > Installed a second Linksys router and set its wan ip address to another one
> > of my public ip addresses. (Both routers are now plugged into a small switch
> > with the cisco each of their wan addresses is a different public ip.)
> >
> > Installed a second nic for my server and plug it into the second Linksys. So
> > here is what the topology looks like:
> >
> > ISP
> > |
> > |
> > Cisco 670 (ip address is public gateway)
> > |
> > |
> > 4-port switch -----|
> > | |
> > | |
> > Linksys1 Linksys2
> > (wan public ip1) (wan public ip2)
> > (lan 192.168.44.1) (lan 192.168.55.2)
> > | |
> > | |
> > Server nic 1 Server nic 2
> >
> > Now I can set my second site to respond to HTTP and SSL requests on the
> > second nic (with the standard SSL port). This works fine, EXCEPT my websites
> > now intermittently "vanish" from outside hosts.
> >
> > The only reason I can think this would be happening is that Windows isn't
> > capable of having more than one gateway. So it will establish a session on
> > one of the nics but it gets confused as to which gateway to send the packets
> > back out on. (I have no idea if this is the problem or not but the fact is
> > this solution isn't working and I would love to know why.)
> >
> > Seems to me that Windows should recognize that a connection was established
> > on a particular nic and it should send the packets (that belong to that
> > session) back through the nic they came in on, through its gateway (the
> > corresponding Linksys), and out to the client.
> >
> > Someone told me that there is no way to do this and that I'd have to make my
> > server a bastion host so that I have only ONE nic, with multiple public
> > addresses assigned to it, and only ONE default gateway (the cisco's ip# (the
> > public gateway address)).
> >
> > I have avoided the bastion host solution because I want my server to be
> > behind a hardware firewall.
> >
> > So here are my current questions:
> >
> > 1. Is my current solution just a pipe-dream? Is this even do-able? If so,
> > why are my websites vanishing? What am I missing in my setup to make this
> > happen?
> >
> > 2. Someone mentioned Sonicwall TZ 170 might be a (costly) solution. Is there
> > a hardware/firewall/router/gateway that does nat with multiple public ip
> > addresses that would solve this?
> >
> > 3. An even better question than those might be: what is the best solution
> > for what I am trying to do?
> >
> > Sincerely,
> >
> > Tony
> >
> >
> >

Thanks for your information! It looks like "Multi-Nat" is what I need and
the ZyXEL Prestige 334 Broadband Router with Firewall seems to have it.


"Joe" <(E-Mail Removed)> wrote in message
news:65ED6AA4-2753-4A81-A606-(E-Mail Removed)...
> Hello,
>
> The type of NAT that you are looking for is called one-to-one with P-NAT
> Add the private IP to the server NIC that you want to have that address
> and
> manually set the IP in the NIC card properties. Now in IIS MMC set the
> Virtual server to listen on that IP do not leave it (all unassigned).
>
> Do the same for the other server.
> You can leave the switch if you want to but that isn't neccessary either.
>
> You can do a lot with this type of setup. You can run 2 DNS,
> 2MX/mailservers, and shared and dedicated hosting This is a nice setup
> enjoy.
>
>
> Here is a high end router that will do just that.
>
> http://www.sonicwall.com/us/support/289_3690.html
>
> However your Cisco should also. Basically you are telling the router where
> your services are and what they want open.And telling your servers what to
> listen for ;-)
>
> Joe
>
> "Joe" wrote:
>
>> Hello,
>>
>> You cannot use the Linksys routers.
>> You have to map the public IP's via NAT to the Private ones Use the
>> Cisco
>> for this and eliminate the rest of the LAN.
>>
>> Cisco should NAT and port NAT to the service running on each server.
>>
>> example: In the router that is allocated all public IP's look for an
>> option
>> to map the external IP to the internal IP and also what port it is on.
>>
>> Also you have to diable socket pooling in Windows.
>> http://support.microsoft.com/kb/813368/
>>
>> There is no need for the Linksys.
>>
>> Joe
>>
>>
>>
>> "Electric Bliss" wrote:
>>
>> > Greetings,
>> >
>> > I have searched long and hard and I still don't know the best solution.
>> > I
>> > hope someone can help.
>> >
>> > Here's my current situation:
>> >
>> > I have a block of 5 public ip addresses. I have a Cisco 670 doing PPoE
>> > with
>> > my ISP and its address is the public gateway.
>> >
>> > I have a Linksys firewall connected to the Cisco and its wan port is
>> > set to
>> > one of the public ip addresses.
>> >
>> > I have a Windows 2003 web server behind the Linksys. I am forwarding
>> > HTTP
>> > and SSL to it.
>> >
>> > I am hosting several websites (virtually with host headers) on the
>> > server.
>> >
>> >
>> > Here is my current challenge:
>> >
>> > This setup works fine for only one SSL enabled site. If I enable
>> > another
>> > site for SSL over port 443 then IIS uses the certificate from the first
>> > site. The user then sees that the cert isn't correct, as it's pointing
>> > to
>> > the wrong site's cert.
>> >
>> > As a quick work-around I have forwarded another port to the server and
>> > am
>> > using that for the second site's SSL. This works fine EXCEPT that some
>> > users
>> > have a firewall that blocks SSL activity on ports that aren't 443.
>> >
>> >
>> > Here is my attempted solution:
>> >
>> > Installed a second Linksys router and set its wan ip address to another
>> > one
>> > of my public ip addresses. (Both routers are now plugged into a small
>> > switch
>> > with the cisco each of their wan addresses is a different public ip.)
>> >
>> > Installed a second nic for my server and plug it into the second
>> > Linksys. So
>> > here is what the topology looks like:
>> >
>> > ISP
>> > |
>> > |
>> > Cisco 670 (ip address is public gateway)
>> > |
>> > |
>> > 4-port switch -----|
>> > | |
>> > | |
>> > Linksys1 Linksys2
>> > (wan public ip1) (wan public ip2)
>> > (lan 192.168.44.1) (lan 192.168.55.2)
>> > | |
>> > | |
>> > Server nic 1 Server nic 2
>> >
>> > Now I can set my second site to respond to HTTP and SSL requests on the
>> > second nic (with the standard SSL port). This works fine, EXCEPT my
>> > websites
>> > now intermittently "vanish" from outside hosts.
>> >
>> > The only reason I can think this would be happening is that Windows
>> > isn't
>> > capable of having more than one gateway. So it will establish a session
>> > on
>> > one of the nics but it gets confused as to which gateway to send the
>> > packets
>> > back out on. (I have no idea if this is the problem or not but the fact
>> > is
>> > this solution isn't working and I would love to know why.)
>> >
>> > Seems to me that Windows should recognize that a connection was
>> > established
>> > on a particular nic and it should send the packets (that belong to that
>> > session) back through the nic they came in on, through its gateway (the
>> > corresponding Linksys), and out to the client.
>> >
>> > Someone told me that there is no way to do this and that I'd have to
>> > make my
>> > server a bastion host so that I have only ONE nic, with multiple public
>> > addresses assigned to it, and only ONE default gateway (the cisco's ip#
>> > (the
>> > public gateway address)).
>> >
>> > I have avoided the bastion host solution because I want my server to be
>> > behind a hardware firewall.
>> >
>> > So here are my current questions:
>> >
>> > 1. Is my current solution just a pipe-dream? Is this even do-able? If
>> > so,
>> > why are my websites vanishing? What am I missing in my setup to make
>> > this
>> > happen?
>> >
>> > 2. Someone mentioned Sonicwall TZ 170 might be a (costly) solution. Is
>> > there
>> > a hardware/firewall/router/gateway that does nat with multiple public
>> > ip
>> > addresses that would solve this?
>> >
>> > 3. An even better question than those might be: what is the best
>> > solution
>> > for what I am trying to do?
>> >
>> > Sincerely,
>> >
>> > Tony
>> >
>> >
>> >

"Electric Bliss" <(E-Mail Removed)> wrote in message
news:45fefcd4$0$498$(E-Mail Removed)...
> Greetings,
>
> I have searched long and hard and I still don't know the best solution. I
> hope someone can help.
>
> Here's my current situation:
>
> I have a block of 5 public ip addresses. I have a Cisco 670 doing PPoE
> with my ISP and its address is the public gateway.
>
> I have a Linksys firewall connected to the Cisco and its wan port is set
> to one of the public ip addresses.
>
> I have a Windows 2003 web server behind the Linksys. I am forwarding HTTP
> and SSL to it.
>
> I am hosting several websites (virtually with host headers) on the server.
>
>
> Here is my current challenge:
>
> This setup works fine for only one SSL enabled site. If I enable another
> site for SSL over port 443 then IIS uses the certificate from the first
> site. The user then sees that the cert isn't correct, as it's pointing to
> the wrong site's cert.
>
> As a quick work-around I have forwarded another port to the server and am
> using that for the second site's SSL. This works fine EXCEPT that some
> users have a firewall that blocks SSL activity on ports that aren't 443.
>
>
> Here is my attempted solution:
>
> Installed a second Linksys router and set its wan ip address to another
> one of my public ip addresses. (Both routers are now plugged into a small
> switch with the cisco each of their wan addresses is a different public
> ip.)
>
> Installed a second nic for my server and plug it into the second Linksys.
> So here is what the topology looks like:
>
> ISP
> |
> |
> Cisco 670 (ip address is public gateway)
> |
> |
> 4-port switch -----|
> | |
> | |
> Linksys1 Linksys2
> (wan public ip1) (wan public ip2)
> (lan 192.168.44.1) (lan 192.168.55.2)
> | |
> | |
> Server nic 1 Server nic 2
>
> Now I can set my second site to respond to HTTP and SSL requests on the
> second nic (with the standard SSL port). This works fine, EXCEPT my
> websites now intermittently "vanish" from outside hosts.
>
> The only reason I can think this would be happening is that Windows isn't
> capable of having more than one gateway. So it will establish a session on
> one of the nics but it gets confused as to which gateway to send the
> packets back out on. (I have no idea if this is the problem or not but the
> fact is this solution isn't working and I would love to know why.)
>
> Seems to me that Windows should recognize that a connection was
> established on a particular nic and it should send the packets (that
> belong to that session) back through the nic they came in on, through its
> gateway (the corresponding Linksys), and out to the client.
>
> Someone told me that there is no way to do this and that I'd have to make
> my server a bastion host so that I have only ONE nic, with multiple public
> addresses assigned to it, and only ONE default gateway (the cisco's ip#
> (the public gateway address)).
>
> I have avoided the bastion host solution because I want my server to be
> behind a hardware firewall.
>
> So here are my current questions:
>
> 1. Is my current solution just a pipe-dream? Is this even do-able? If so,
> why are my websites vanishing? What am I missing in my setup to make this
> happen?
>
> 2. Someone mentioned Sonicwall TZ 170 might be a (costly) solution. Is
> there a hardware/firewall/router/gateway that does nat with multiple
> public ip addresses that would solve this?
>
> 3. An even better question than those might be: what is the best solution
> for what I am trying to do?
>
> Sincerely,
>
> Tony
>
>


Greetings,

I just wanted to update the thread on my final solution.

The "ZyXEL Prestige 334 Broadband Router with Firewall" was NOT the
solution. It does have MultiNAT but it forwards all the ports to the inside
address.

The "Zyxel ZYWALL 2X FIREWALL+ VPN ROUTER Internet Security Gateway for
Tele-Home" is the solution. It has MutiNAT and it allows you to setup
firewall rules so that only the ports you want exposed will be open.

I am very satisfied with the unit and have purchased another one as a
backup.

Hope this helps anyone looking for the same solution.