Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Understanding https in DMZ - why two ips? 1

Status
Not open for further replies.

bazil2

Technical User
Feb 15, 2010
148
DE
(Elementary user)

This might be a little 'off-topic' but I couldn't find a more suitable forum.......

I need to add a new webserver to our DMZ that works on https

As I understand it, we need to assign two addresses to the same machine as it using https.

Can anyone explain to me why two IPs are necessary?

Best regards
 
I don't see any reason why you would need two IPs, unless it means in terms of a private LAN address and your public IP address from being in the DMZ. When you play a device in the DMZ, you are effectively removing the protections of the router and placing it on an open internet connection.

Two IP addresses are not required for HTTPS. HTTPS defaults to port 443 so it would be helpful to have that open, which it will be if you place your server in a DMZ.

The typical constraint is that if you want to have multiple secure pages then you technically need a distinct IP address for each one because (traditional) HTTPS does not identify by server name. I say technically and traditional here because for the last several years there has been a change to SNI or server name indication where the server name is handled as part of the connection establishment.

Do you have a link or anything that you could share with us regarding the multiple IPs that you found?

 
Many thanks for your help!

Page 4 of the following might help:


System requirements
• Prinergy Workflow System
• Adobe Acrobat Reader Software 6.0 or higher
• Internet Explorer Software 5.0 or higher on the PC or Safari Software on Mac OS 10.4.6
• Two external IP addresses (one if not using secure sockets layer)
• Local area network
• Firewall

Best regards
 
I see what you are saying, but I am sorry that I am no closer to an answer. The literature states two external IP address if using SSL. The more I think about this, the more curious I become. If you have a URL, such as mysite.net that accepts web traffic you have the same IP address for both regular and secure web traffic, but the default port at which the connection is made changes. The only reason I could see for two IP addresses is if the secure and non secure sites are distinctly different in the URL. I am honestly having trouble understanding what the utility of two IP addresses would be for SSL.

My recommendation would be to contact Kodak and ask them what the purpose of two IP addresses is. If you do, please post their answer here.
 
Agree. Most likely it is sloppy programming. The only reason I can think of is that they have a management ip backend that uses 443, but they could use digital certs
to protect the traffic.
 
Good evening,

Well I have a rather interesting answer, straight from the horse's mouth:

Best regards

The Prepress Portal and Storefront systems support a single network interface with multiple IP addresses. The reason is as follows. In order to use a Secure Sockets Layer (SSL) connection with the Prepress Portal and Storefront systems, the Microsoft® Internet Information Services (IIS) server software requires inbound access to port 443, which is traditionally the SSL port. Currently the Kodak Smart Review system, a component of the Prepress Portal and Storefront systems, also requires inbound access to port 443. Since the applications do not work well on a single port, an additional port 443 is required. The only way to obtain this is to assign a second IP address on the same subnet to the Ethernet card. The Prepress Portal and Storefront systems do not support multiple network interfaces.
 
Ah, I see said the blind man when he picked up his hammer and saw.

If you do have multiple public IP addresses, such as a range from your provider which some business do, this is a non issue. If you only have one, This part leaves an easy out:
assign a second IP address on the same subnet to the Ethernet card.
You must have two IP addresses on the subnet to the Ethernet card(s). Nothing says that they need to be public IP addresses. If both require Public (outside the LAN access) you can easily set up a proxy in front of the system that forwards to the appropriate LAN IP based on URL. The proxy part could even be made invisible to the users.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top