Sign in with
Sign up | Sign in
Your question

Web server and SSL VPN on single IP address

Last response: in Networking
Share
January 6, 2007 12:49:53 AM

I host a web site from a home server (IIS). Certain sections of this site are protected by SSL. I would like to add SSL VPN to my setup so that I can connect to my network remotely.

The problem is that I have only one external IP address and would like to have SSL VPN on port 443 which is already mapped to my web server.
Is this doable? Are there any SSL VPN appliances which are smart enough to route traffic to my web server appropriately (perhaps by looking at request hostnames)? Or perhaps there are some combinations of SSL accelerators and VPNs which are capable of this.

Is this too much to ask for?

Thanks in advance!
Helge
January 6, 2007 10:09:48 PM

With a VPN Router (FVS338), not port mapping or forwarding, you could connect directly to the router. This would grant you local access to your complete network remotely.

Just a thought.
January 6, 2007 10:35:16 PM

It looks like FVS338 does not supports SSL VPN, only IPSec. Unfortunatelly this doesn't work for me as I often have to connect to my home network from within organizations with very restrictive firewalls having just a few open ports. Since port 443 is almost always open, SSL VPN looks like ideal solution. However I already use port 443 for my web server. (And I have only one external IP address)

My hope is that there is an appliance or a software solution which could examine hostheaders and route requests to either web server or to VPN.
Does anyone know of a way to solve this?
Related resources
January 15, 2007 5:40:57 PM

Late reply, but better late then never.

That setup is not going to work. I don't think you will find any appliance to do what you require. This is a limitation of the protocol itself. The host header is encrypted, and therefore you need to be able to pick the right certificate. This is done by looking at the IP and port used in the request. Once the right cert has been selected and data can be decrypted, the host header becomes available. This is why you usually require a dedicated IP per SSL certificate.

There are a couple of ways to get around this by using wild card certs, but I don't know of any appliance that could help you with your current setup.
January 16, 2007 2:46:28 AM

Thanks for your explanation, Sevren. It is great to get a competent reply. As you probably gathered from my posts, networking is not my area of expertise.

Could you kindly tell me if the following setup can work for me:

1. Get second IP.
2. Connect switch to cable modem
3. Connect a router for local network to the switch
4. Connect an SSL VPN appliance to the switch
5. Configure a bridge between SSL VPN and local net?

Is there a simplier solution? Can you recommend any specific devices?
Thanks
January 17, 2007 11:56:23 PM

Hmm, well, couldn't you redirect to the SSL vpn website doing some layer 7 stuff on the web server? Where I work they redirect websites all the time based on URL. In other words going to https://ssl.mysite.com would show the ssl vpn site or https://web.mysite.com would show the secure website. But both urls point to the same IP.

I don't know if this would be possible, I am more of a network guy.

Only other way I know of is a dedicated layer 7 routing device such as a Cisco 11501 or Microsoft's Load-Balancing Services.
January 18, 2007 12:52:45 AM

Quote:
Thanks for your explanation, Sevren. It is great to get a competent reply. As you probably gathered from my posts, networking is not my area of expertise.

Could you kindly tell me if the following setup can work for me:

1. Get second IP.
2. Connect switch to cable modem
3. Connect a router for local network to the switch
4. Connect an SSL VPN appliance to the switch
5. Configure a bridge between SSL VPN and local net?

Is there a simplier solution? Can you recommend any specific devices?
Thanks


That would work. Two IPs, two home routers, including one at least that supports VPN w/ SSL (if that's what you had in mind by SSL Appliance), and then you can bridge both internal networks.

I don't know how you're getting your IPs, so it's hard to suggest something else, but the only other possible setup in my opinion is to use a router that supports multiple IPs instead of having 2 devices and having to bridge them eventually. You could possibly get a cheap Cisco 850 series router, for example. But then again as I said, it all depends on what kind of connection you have and how your ISP will assign you IPs.

As for t1n0m3n's suggestion of using a load balancer like a F5 BigIP or MLBS, I just don't see how that would help, but maybe I'm missing something. You'd still be stuck unable to get the http header because of the SSL encryption.
!