I have a small cluster of NT's which uses MS Load Balancing. They are
running SSL and the units ONLY need to support short port 443 transactions--
a simple message in and a reply out. There will be no other traffic on this
little network.
The entire NT server array "looks" like a single published IP address mapped
to a single www DNS name.
We also have an inherited Cisco PIX 520.
I'd like to set up the 520 to block all other port traffic other than the
443 traffic. That part looks straight forward. But the PIX documentation
seems to stress having using some form of address translation, so that the
address of the NT cluster is NOT the published www address, but an internal
private address. But if I do something this, will my SSL still work (as I
believe SSL depends on the IP address resolving to the DNS name in the
issued certificate)?
Alternately, would my specialized situation suggest that I dispense with
address translation and just let the 443 traffic pass through the PIX to the
NT's which are running with the published DNS IP address? (In this case, I
am simply using the PIX to block traffic on all other ports.)
TIA
Harry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
