I have a client that requires a second IP address on their internet connection. They are currently connected via ADSL and were looking to change to TelstraClear VDSL but were told that there was no option for an additional IP address on the VDSL product. The client requires a second IP address as they want to serve up a second SSL based application from their connection (the first being outlook web access). The second application is for remote employee access only and running it over a custom ssl port is not an option - it also needs to use 443. They have a basic cisco firewall and I'm not sure if it can split and redirect SSL traffic to different internal IP addresses based on host headers (or if that would break the application). If your ISPs offers multiple IP addresses on xDSL products, can you please reply to me off-list. -- Thanks Regan
On 22/03/2010, at 12:57 PM, Regan Murphy wrote:
I have a client that requires a second IP address on their internet connection. They are currently connected via ADSL and were looking to change to TelstraClear VDSL but were told that there was no option for an additional IP address on the VDSL product.
The client requires a second IP address as they want to serve up a second SSL based application from their connection (the first being outlook web access). The second application is for remote employee access only and running it over a custom ssl port is not an option – it also needs to use 443. They have a basic cisco firewall and I’m not sure if it can split and redirect SSL traffic to different internal IP addresses based on host headers (or if that would break the application).
If your ISPs offers multiple IP addresses on xDSL products, can you please reply to me off-list.
Yeah you can't do that with SSL, but you can with TLS if you have RFC4366 support with the servername thing. As for DSL, IPCP doesn't let you negotiate two IP addresses at one end of the link. What you need to do is a single IP address, and then have a /30 routed down to you. Start asking for that and see what happens, you might do a bit better. -- Nathan Ward
On 22/03/10 13:28, Nathan Ward wrote:
Yeah you can't do that with SSL, but you can with TLS if you have RFC4366 support with the servername thing.
Off topic, but you actually can have multiple "hostnames" per a single IP but you need to use a wildcard SSL certificate & the cert would need to be on a load balancer or on the same physical server. Might be helpful for someone. Best Regards, Quintin -- Email: quintin(a)sitehost.co.nz Auckland: +64 (09) 974 2182 Wellington: +64 (04) 974 4325 Nationwide: +64 0800 484 537
On 22/03/2010, at 1:32 PM, Quintin Russ wrote:
On 22/03/10 13:28, Nathan Ward wrote:
Yeah you can't do that with SSL, but you can with TLS if you have RFC4366 support with the servername thing.
Off topic, but you actually can have multiple "hostnames" per a single IP but you need to use a wildcard SSL certificate & the cert would need to be on a load balancer or on the same physical server.
You can also set subjectAltName if you want the certificate to cover names where a wildcard is not feasible. Of course not eve TLS+SNI works for an SSL type VPN - you typically want the SSL negotiation to happen at the VPN concentrator because there's some auth that happens based on the certificate that the client presents. -- Nathan Ward
As for DSL, IPCP doesn't let you negotiate two IP addresses at one end of the link. What you need to do is a single IP address, and then have a /30 routed down to you. Start asking for that and see what happens, you might do a bit better.
I thought I'd be less precise and see what options came in. I'd had replies, off list, for both routed subnet, and also routed Ethernet. NB: I've had a routed subnet hosted on DSL before while awaiting a fibre install so I knew it was technically possible. -- Regan
participants (3)
-
Nathan Ward -
Quintin Russ -
Regan Murphy