Announcement

Collapse
No announcement yet.

Publishing https for two services

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Publishing https for two services

    Hello,

    I am learning that for AD FS to work, 443 must be open on the firewall.

    The same applies for OWA (Exchange)

    So, how can the external firewall know to what internal host it must forward the https traffic ?
    Attached Files
    -
    Madrid (Spain).

  • #2
    When using multiple SSL websites they are usually published externally on distinct IP addresses, because of the requirement for the correct SSL certificate matching the external hostname.

    You can use a single IP address with a wildcard certificate, but that's usually more expensive than multiple external IPs and individual certificates.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Thanks Cruachan.

      ​Or maybe a SAN certificate (I always do this) : autodiscover.domain.com, mail.domain.com , www.domain.com, directAccess.domain.com, rdp.domain.com ... (Alternative names)

      But the question does not aim at this, but at how the firewall handles https requests to different internal IPs: 192.168.1.3 (OWA) and 192.168.1.4 (AD FS Server).

      -
      Madrid (Spain).

      Comment


      • #4
        The firewall will route requests based on (one or both of) the external IP the request is directed to (E.g. 1.1.1.1 for OWA, 1.1.1.2 for ADFS) or the hostname the request is for.

        With standard (HTTP) websites you can have multiple websites on the same IP and port with requests routed by host header, assuming you use IIS (which is pretty much all I have any experience with!) and not in IIS 7.5 you can also do this with SSL websites. https://blogs.msdn.microsoft.com/var...d-port-in-ssl/

        This gives you an idea of how the routing works with a single web server running multiple sites. The principle is broadly the same at the edge firewall, the request is routed based on destination hostname, IP and port.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Thanks again.

          I am wondering:

          If I have only one external IP (1.1.1.1) , then how can the firewall know whether to redirect https traffic to 192.168.1.2 ( owa server ) or to 192.168.1.3 ( Federation Services Server ) ?

          Taking into account there is only one SAN certificate: mail.domain.com (for OWA) , adfs.domain.com (for ADFS) .

          This certificate is installed in both the OWA Server and the ADFS Server.


          -
          Madrid (Spain).

          Comment


          • #6
            If your firewall is clever enough to handle 2 HTTPS websites on one external IP, then it will be capable of routing based on the requested (external) hostname which is in the packet header.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment

            Working...
            X