Enabling WebVPN while NAT port 443

Unanswered Question


a client has a small 877W Router running the Advanced IP Service IOS.

It connects to the Internet using a standard ADSL2 connection with a single static IP address.

Currently, Outlook Web Access is available from the Internet by NAT configured to forward HTTPS traffic to an internal W2K3 SBS Server.

I would like to configure WebVPN but having played with it on this device realise that while I have NAT configured for port 443 to the internal server, the WebVPN portal won't work as it uses the same port.

Is there anyway to have WebVPN configured and while still allowing access to OWA web access from the Internet? Please note, I would rather not do the following:

- Change to a non-standard port for either service as this will just confused the non-technical users

- Restrict OWA access to just inside the WebVPN portal as some users have notebooks and connect their full Outlook clients via RPC-over-HTTPS so OWA needs to be accessible outside of the portal also.

Thanks for any assistance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I suppose further clarification on this may be required.

I want to allow two types HTTPS connections to the same, single, public IP on the router.

The first is to the internal OWA website and hence terminates behind the router at the SBS server.

The second is to the router for WebVPN and should terminate on the router.

The issue obviously is that if only inspecting the incoming connections up to Layer 4, both will look identical and there is no way of differeniating the two connections.

Is there a way to implement a higher layer of inspection so that connections to https://www.domain.com/exchange goes to the internal OWA server and connections to https://www.domain.com/webvpn goes to the router and either the portal or SSL VPN connection is accessed?

Any ideas would be appreciated.



joshgluck Tue, 01/06/2009 - 17:30
User Badges:

Do you already have a webserver running on https://www.domain.com ? If so then you could write a little script that site at /exchange that simply does an http-redirect to https://exchange.domain.com:8080 which is port forwarding to the internal exchange server on 443 and have the script do /webvpn as an http-redirect to https://webvpn.domain.com:443

I am not sure if you can do it as "inspection" on the router though. Http-redirect scripts are pretty easy to do if you control the content on your companies web server. Other than that you can run WebVPN on a non standard port too if you want to keep exchange on 443 but I think you are better off using the method I described above if you want to use the URI portion of a URL for redirection.

Is there a reason to no have OWA:443 running on a different IP than the WebVPN connection? Seems like letting DNS take care of the whole thing might be simpler.

Hope that helps :)

joshgluck Tue, 01/06/2009 - 17:31
User Badges:

Just saw that there is only a single static IP, missed that through the first read...apologies.


This Discussion