Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
3
Replies

Enabling WebVPN while NAT port 443

info
Level 1
Level 1

‎10-15-2008 04:58 AM - edited ‎03-09-2019 09:40 PM

Hi

a client has a small 877W Router running the Advanced IP Service IOS.

It connects to the Internet using a standard ADSL2 connection with a single static IP address.

Currently, Outlook Web Access is available from the Internet by NAT configured to forward HTTPS traffic to an internal W2K3 SBS Server.

I would like to configure WebVPN but having played with it on this device realise that while I have NAT configured for port 443 to the internal server, the WebVPN portal won't work as it uses the same port.

Is there anyway to have WebVPN configured and while still allowing access to OWA web access from the Internet? Please note, I would rather not do the following:

- Change to a non-standard port for either service as this will just confused the non-technical users

- Restrict OWA access to just inside the WebVPN portal as some users have notebooks and connect their full Outlook clients via RPC-over-HTTPS so OWA needs to be accessible outside of the portal also.

Thanks for any assistance.

Simon

Labels:
0 Helpful
3 Replies 3

info
Level 1
Level 1

‎10-18-2008 03:15 AM

I suppose further clarification on this may be required.

I want to allow two types HTTPS connections to the same, single, public IP on the router.

The first is to the internal OWA website and hence terminates behind the router at the SBS server.

The second is to the router for WebVPN and should terminate on the router.

The issue obviously is that if only inspecting the incoming connections up to Layer 4, both will look identical and there is no way of differeniating the two connections.

Is there a way to implement a higher layer of inspection so that connections to https://www.domain.com/exchange goes to the internal OWA server and connections to https://www.domain.com/webvpn goes to the router and either the portal or SSL VPN connection is accessed?

Any ideas would be appreciated.

Thanks

Simon

0 Helpful

joshgluck
Level 1
Level 1
In response to info

‎01-06-2009 05:30 PM

Do you already have a webserver running on https://www.domain.com ? If so then you could write a little script that site at /exchange that simply does an http-redirect to https://exchange.domain.com:8080 which is port forwarding to the internal exchange server on 443 and have the script do /webvpn as an http-redirect to https://webvpn.domain.com:443

I am not sure if you can do it as "inspection" on the router though. Http-redirect scripts are pretty easy to do if you control the content on your companies web server. Other than that you can run WebVPN on a non standard port too if you want to keep exchange on 443 but I think you are better off using the method I described above if you want to use the URI portion of a URL for redirection.

Is there a reason to no have OWA:443 running on a different IP than the WebVPN connection? Seems like letting DNS take care of the whole thing might be simpler.

Hope that helps :)

0 Helpful

joshgluck
Level 1
Level 1
In response to joshgluck

‎01-06-2009 05:31 PM

Just saw that there is only a single static IP, missed that through the first read...apologies.

0 Helpful
Customers Also Viewed These Support Documents