Netscape and Microsoft browsers compare the hostname in the Common Name
field of the certificate to the URL that the browser is trying to
contact. The easiest way to do this is to setup the outside DNS to
resolve www.name.com to an interface on the firewall. The firewall can
then pass traffic on port 443 (the SSL port) to the webserver. The
browser will receive a certificate with www.name.com and as long as the
URL starts with https://www.name.com/... they will match.
Another approach would be to put the webserver outside the firewall and
then use a different encrypted channel to go from the server through the
firewall to the data store behind the firewall. The advantage of this
model is that the encrypted channel can then be intercepted by the
firewall and the contents examined, it also sets separate controls on
the content and the server adding finer resolution great reliability to
the security model. In the previous example if the webserver is
compromised there is no way for the firewall to see what is happening on
From: Michael Sorbera [mailto:msorber @
Sent: Tuesday, December 30, 1997 8:50 AM
To: k. frisco
Cc: firewalls @
Subject: Re: off topic: ssl setup on web server inside firewall
k. frisco wrote:
> Does anyone know the trick to establishing ssl with a verisign digital
> certificate when the web server is inside, behind the firewall? Sorry
> being slightly off topic, don't know who else to ask. Not having any
> hearing from verisign support.
I'm a little confused at the question. I just set up a web server
that's behind my firewall. My firewall lets HTTP port 80 traffic
through to the web server. (It's the only thing there)
My confusion is that if folks can hit your web server, then when you set
up the digital certificate on the web server, it should work...??? Why
wouldn't it? Mine works fine...
Hope this helps...
Webmaster, Randolph-Brooks Federal Credit Union
"In the land of the clueless, he who has half a clue is King!"