Port 443 Question

[Richard K]

I am going to have an issue with a network setup. Basically there is an SBS
2003 server and the standard ports are open for Mail, OWA, Remote and
CompanyWeb and this includes 443 (+ 3389, 444, 4125, 25). In addition there
is a completely different server (running Linux and apache) on the internal
network. Since there is a HIPAA requirement all communication to the Linux
server must operate under 443 SSL. I can redirect that port on the firewall
to the Linux server but I am thinking I will break all of my other
connections for OWA, and RWW to my SBS server.

Am I correct? Any suggestions on how I handle this?

Thanks!

-Richard K

[Costas]

Richard,

Is the Linux box part of the SBS domain? If yes, and you have SBS Premium
installed, you could create a wildcard certificate (or buy one), and then
have https://server.domain.com go to your SBS server and
https://linux.domain.com go to the linux box.

I'm pretty sure that will work, but it adds to the complexity of managing a
small business network.

--
Costas

"Richard K" <Rich...@discussions.microsoft.com> wrote in message
news:A0706CD2-8383-4EFB...@microsoft.com...

[Richard K]

It's not part of the domain and I'm running std so no ISA. I have an
external router controlling the port forwarding.

[Costas]

If your router supports one-to-one NAT, you can ask your ISP for a block of
IP addresses and have both servers, the SBS and the Linux published to the
Internet with their own IP address. That implies that you must have
firewalls between the router and the two boxes otherwise they are sitting
ducks on the Internet

--
Costas

"Richard K" <Rich...@discussions.microsoft.com> wrote in message

news:79F5CEEF-C20B-49C4...@microsoft.com...

[Jan]

Routed subnet would get you out of trouble. SSL requests arriving on one IP
forwarded to Linux box, second IP forwarded to SBS.

--
Jan Wakulicz
www.micropol.com.au

"Richard K" <Rich...@discussions.microsoft.com> wrote in message

news:79F5CEEF-C20B-49C4...@microsoft.com...

[Cliff Galiher]

Richard:

You are correct that the HIPAA Security Requirement passed in April of 2005
does have some requirements attached to it, but SSL nor 443 were
specifically specified (thankfully.) To keep yourself out of hot water, you
should definitely be using encryption (SSL, TLS), but if you can't get a
subnet as already recommended, you can hang your apache instance off any
port you deem appropriate. I've even gon so far as to set up a silent
redirect on the SBS box, listening for the appropriate header
(apache.mydoman.com:443) and had it rewrite to the appropriate port
(apache.mydomain.com:450) and then I can properly forward *that* port, via
the firewall/router and 1-to-1 NAT, to the appropriate box. That will
prevent you from breaking SBS. :)

-Cliff

"Richard K" <Rich...@discussions.microsoft.com> wrote in message
news:A0706CD2-8383-4EFB...@microsoft.com...

[Richard K]

Cliff, you have an interesting scenerio that may work because I'm not sure
about multiple public IPs until I check. BUT... how do I set this up on the
router and more particularly the SBS box? Do I still set up the 443 redirect
to the SBS? What do I do to the SBS for the redirect to the other port? I
just need some help with the details.

Thanks!

[Richard K]

Assuming I can get 2 public IPs from the ISP any recommendations on a not too
expensive router than can support more than 1 public IP?

[Costas]

The 3Com OfficeConnect Cable/DSL Router (#3CR858-91) does 1-to-1 NAT and
1-to-many NAT and it cost less that $60. Just a reminder that you'll need
firewalls behind the router if you decide to do a 1-to-1 NAT

Hope that helps

--
Costas

"Richard K" <Rich...@discussions.microsoft.com> wrote in message

news:8CA1C692-3708-4EAB...@microsoft.com...

[Pedro M. Leite]

Hi

sorry for intruding, but i have a similar cenario, but under sbs 2k3
premium, with isa.
i tried before but could not create a *.ourdomain.com certificate.
how do i do that under windows server ?? of course i can create one under
the linux boxes but if is possible under sbs, so much the better.
i tried under ciecw but with no success.

thank you

PLeite
---------------------------------------------------------

[Costas]

The following link describes the process of creating a wildcard certificate
in ISA Server 2004 http://www.isaserver.org/tutorials/2004wildcardcert.html

I had followed the instructions in the past and created one in ISA 2004
running on SBS, in order to be able to publish a SharePoint site sitting on
a member server.

--
Costas

"Pedro M. Leite" <ple...@cimbo.com> wrote in message
news:uq7$oRmwIH...@TK2MSFTNGP06.phx.gbl...

[Pedro M. Leite]

Big Help !!!

thanks Costas

have a nice weekend

PLeite
-------------------------------

[Pedro M. Leite]

Hi

sorry, but it didn't worked out.
i issued a *.ourdomain.com but the certificate is signed by
*.ourdomain.com which is an invalid signature and the certificates don't
work.

can you help me on this one ??

thanks

posting to different ng.

PLeite

On Fri, 30 May 2008 11:01:03 -0400, Costas wrote:

[Costas]

I'm pretty sure these instructions work because I have followed them myself.
When you say "invalid signature" what do you mean? The wildcard certificate
is used on ISA server. The other servers must have a named SSL certificate.

Also make sure that you change the default Web Listener to use the wildcard
certificate

--
Costas

"Pedro M. Leite" <ple...@cimbo.com> wrote in message

news:%23gBNE8n...@TK2MSFTNGP03.phx.gbl...

[Cliff Galiher]

Yes, you'd redirect 443 to SBS. As far as the rest, it depends on what you
want to accomplish. HTTPS has to be bound to a specific port and you can't
pre-sniff the header. Well...the gearheads will say there is a new
standard, just to be argumentative, but it isn't widely supported...so for
the sake of this setup, 443 is bound to a specific site. That leads to
problems with assigning certificates, etc, so I find it easier to set up SBS
to listen for the redirected URL on port 80.

Just create a new site and set the header to the machine name you want
(let's call it records.mydomain.com.) Alternatively, if you *need* SBS to
be listening on 443, you can create a new subdirectory on your current
default site (already listening on port 443) so the URL would be
office.mydomain.com/reports (or whatever you wanted the directory portion of
the URL to be.)

Finally, set up an ASP file (index.asp, for example) with a single line...

Response.Redirect https://reports.mydomain.com:450/

Port 450 on the router needs to be forwarding traffic to your secure server,
and the server needs to be configured to listen for https requests on port
450. That can be your SBS box, another windows box with apache, another
windows box with IIS, or a linux box with whatever flavor of server you
like.

Hope that helps...

-Cliff

Either way, whether it is a directory, or just a new site listening on port
80, you would set up a redirect.

"Richard K" <Rich...@discussions.microsoft.com> wrote in message

news:1797F6E6-2A32-4765...@microsoft.com...

[Pedro M. Leite]

On Fri, 30 May 2008 14:26:11 -0400, Costas wrote:

> I'm pretty sure these instructions work because I have followed them
> myself. When you say "invalid signature" what do you mean? The wildcard
> certificate is used on ISA server. The other servers must have a named
> SSL certificate.
>
> Also make sure that you change the default Web Listener to use the
> wildcard certificate

oooohhhh !! ( making dumb face :-(( )

i got the point now.

back to sbs box then

thanks
PLeite