03-30-2012 08:48 AM - edited 03-04-2019 03:51 PM
Hopefully this makes sense...
We are in a planning phase of adding another service to our DMZ. The DMZ has a singe publicly accessible IP. We are running Citrix inside our network externally accessible via web https (443). Another service will be added to the DMZ (Exchange/O365) requiring ADFS & and ADFS proxy also using port 443 as well. Both services (the Citrix secure gateway & ADFS) will have separate subdomains but directed to that same IP, each with its own cert. Now, I guess the question is: How (if possible) can we forward the public requests to the two services that hit our network on the same port (can't change the port on either), to two separate appliances with their own internal IP's internally?
Our current appliance on the DMZ is an ASA 5505. Also could use a PIX...
Thanks for any suggestions.
Solved! Go to Solution.
03-30-2012 11:16 AM
I understand. The ASA won't be able to route based on headers, so I don't think what you want to do will be possible with an ASA/Pix.
03-30-2012 09:23 AM
I guess where I'm a little stuck, is that if the reqests for those services are coming through the same port pointed to the same public IP - everything on the outside is the same (except the type of service and the domain name the clients make the requests from). So I'm not sure if there's a way those can be differentiated between to get those requests routed to the appropriate internal IP/host/device (whether possible by service type/host-header, or dns the client is making the requests through, I'm not sure)...
03-30-2012 09:36 AM
Jamie,
It sounds like you'll need just a standard nat translation and pass the port to your server. The client will determine what's needed to pass to the server. You can do this in the ASA:
static (dmz, outside) 1.1.1.50 192.168.1.50 netmask 255.255.255.255
access-list OUTSIDE permit tcp any host 1.1.1.50 eq 443
You'll pass your Citrix traffic to 1.1.1.50 and your other services can still run on 443.
HTH,
John
Please rate useful posts...
03-30-2012 09:55 AM
Thanks for your response John,
I think I see what you're saying, which makes sense if there was just the Citrix gateway on 443.
Thing is, it's 2 internal hosts - seperate servers - seperate internal IP's. On the outside (where the requests would be made from), one public static IP - both services using seperate subdomains but DNS record pointing to the single static - clients can request either https://fs.mydomain.com or https://citrix.mydomain.com and they should both get forwarded to the appropriate internal service...
What you suggest seems to be specific to forwarding to one host - but what about when another host is added that wants to use the same port?
My thought were (and whether possible):
- Route the traffic to the appropriate destination based on headers (since each would be using its own subdomain)
- Problem I see with this, is I don't know if it's possible/how on the ASA
- It's my understanding that the headers would be encrypted if they're secure (https 443) and thus unreadable by the ASA
03-30-2012 11:16 AM
I understand. The ASA won't be able to route based on headers, so I don't think what you want to do will be possible with an ASA/Pix.
03-30-2012 01:44 PM
Thank you for your quick responses... Kinda what I was expecting, so additional IP is probably the simplest route.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide