Yes, wildcard certs do work on Pound, I've used them before, but not any more because of the expense.
You should be aware that there is still an instance in which you can get a cert error. Wild card certs only work on *.company.com (like vpn.company.com, www.company.com, mail.company.com), however, they DON'T work on "company.com" -----Original Message----- From: Dave Steinberg [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 4:41 PM To: [email protected] Subject: Re: [Pound Mailing List] Pound usage for multi-domain solution. > What they would like to do is direct mail.company.com:443 to the OWA > resources and vpn.company.com:443 to the SSL VPN appliance (two > separate internal IP addresses). > > I understand that the preferred/accepted way for doing this is to > obtain multiple IPs from the ISP and map those internally. > Unfortunately that is not an option with the provider available in the > area at this time. Its preferred because most people do not want their clients/customers/service users to see SSL validation errors when they try to access the service in question. > From the landing page for Pound, it looks like there is a problem with > multiple domain redirection to single internal host IP with virtual > servers on that same IP, unless a wildcard cert is used, which seems > to indicate that it may be possible if all 443 traffic is redirected > to a single host/ip. I've not tried it, but yes, a wildcard cert should work. They are unfortunately much more expensive than regular certs. > From my small understanding of what I've read, Pound (or any other > reverse proxy) is unable to decipher the host header because it comes > after the SSL tunnel is negotiated. It would seem that the only > solution left would be to use a product like Microsoft's ISA server > that does seem to be able to reverse proxy SSL connections. If this > is the case, I'm just a bit surprised that there isn't an option in > the *nix world to achieve this goal. This is not a software or OS limitation but rather a protocol limitation, for the reasons you describe. It is software agnostic, which is why the wildcard cert is the only option that will avoid warnings in your client software. Regards, -- Dave Steinberg http://www.geekisp.com/ http://www.steinbergcomputing.com/ -- To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED] Please contact [EMAIL PROTECTED] for questions. -- This message has been scanned for viruses and dangerous content by SecureMail, and is believed to be clean. -- To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED] Please contact [EMAIL PROTECTED] for questions.
