What they would like to do is direct mail.company.com:443 to the OWA
resources and vpn.company.com:443 to the SSL VPN appliance (two
separate internal IP addresses).
I understand that the preferred/accepted way for doing this is to
obtain multiple IPs from the ISP and map those internally.
Unfortunately that is not an option with the provider available in the
area at this time.
Its preferred because most people do not want their
clients/customers/service users to see SSL validation errors when they
try to access the service in question.
From the landing page for Pound, it looks like there is a problem with
multiple domain redirection to single internal host IP with virtual
servers on that same IP, unless a wildcard cert is used, which seems
to indicate that it may be possible if all 443 traffic is redirected
to a single host/ip.
I've not tried it, but yes, a wildcard cert should work. They are
unfortunately much more expensive than regular certs.
From my small understanding of what I've read, Pound (or any other
reverse proxy) is unable to decipher the host header because it comes
after the SSL tunnel is negotiated. It would seem that the only
solution left would be to use a product like Microsoft's ISA server
that does seem to be able to reverse proxy SSL connections. If this
is the case, I'm just a bit surprised that there isn't an option in
the *nix world to achieve this goal.
This is not a software or OS limitation but rather a protocol
limitation, for the reasons you describe. It is software agnostic,
which is why the wildcard cert is the only option that will avoid
warnings in your client software.
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
--
To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED]
Please contact [EMAIL PROTECTED] for questions.
