Great Circle Associates Firewalls
(December 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: off topic: ssl setup on web server inside firewall
From: Daniel Todd <dtodd @ usweb . com>
Date: Tue, 30 Dec 1997 11:24:03 -0800
To: firewalls @ greatcircle . com

Netscape and Microsoft browsers compare the hostname in the Common Name
field of the certificate to the URL that the browser is trying to
contact.  The easiest way to do this is to setup the outside DNS to
resolve to an interface on the firewall.  The firewall can
then pass traffic on port 443 (the SSL port) to the webserver.  The
browser will receive a certificate with and as long as the
URL starts with  they will match.  

Another approach would be to put the webserver outside the firewall and
then use a different encrypted channel to go from the server through the
firewall to the data store behind the firewall.  The advantage of this
model is that the encrypted channel can then be intercepted by the
firewall and the contents examined, it also sets separate controls on
the content and the server adding finer resolution great reliability to
the security model.  In the previous example if the webserver is
compromised there is no way for the firewall to see what is happening on
the channel. 


-----Original Message-----
From: Michael Sorbera [mailto:msorber @
 ibm .
Sent: Tuesday, December 30, 1997 8:50 AM
To: k. frisco
Cc: firewalls @
 greatcircle .
Subject: Re: off topic: ssl setup on web server inside firewall

k. frisco wrote:

> Does anyone know the trick to establishing ssl with a verisign digital
> certificate when the web server is inside, behind the firewall?  Sorry
> for
> being slightly off topic, don't know who else to ask.  Not having any
> luck
> hearing from verisign support.
> thanks

I'm a little confused at the question.  I just set up a web server
that's behind my firewall.  My firewall lets HTTP port 80 traffic
through to the web server. (It's the only thing there)
My confusion is that if folks can hit your web server, then when you set
up the digital certificate on the web server, it should work...???  Why
wouldn't it?  Mine works fine...

Hope this helps...

Michael Sorbera
Webmaster, Randolph-Brooks Federal Credit Union
"In the land of the clueless, he who has half a clue is King!"

Indexed By Date Previous: RE: Notification: Inbound Mail Failure - Address not found
From: * Postal Service Desk <PostalClerk @ vinson . navy . mil>
Next: Re: Intrusion Detection - Switched Network
From: cbrenton <cbrenton @ sover . net>
Indexed By Thread Previous: Re: off topic: ssl setup on web server inside firewall
From: varmav @ verisign . com (Vik Varma)
Next: UNIX Security checklist - revisited
From: mcwilkin <mcwilkin @ twcable . com>

Search Internet Search