-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Harry Whitehouse [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 15, 2000 1:49 PM
>
> [...]
> I'd like to set up the 520 to block all other port traffic
> other than the
> 443 traffic. That part looks straight forward. But the PIX
> documentation
> seems to stress having using some form of address
> translation, so that the
> address of the NT cluster is NOT the published www address,
> but an internal
> private address. But if I do something this, will my SSL
> still work (as I
> believe SSL depends on the IP address resolving to the DNS name in
> the issued certificate)?
Yes, SSL will still work. I have several servers behind a firewall
doing NAT and SSL comes through fine. When you issue a certificate
request on the server, use the internal address on that NIC. Then
bind the signed SSL certificate to that IP addresses. On the PIX
configure NAT so that the internal IP is translated to a public IP.
I'm not sure what cluster you use, but you probably have to use one
certificate per box issued to the real IP address, not the IP address
of the cluster. However, I have seen cases where that did not work,
and we had to issue one certificate with the virtual IP address and
install it to 'any IP addresses' on the server (A server can have
more than one IP. During cert installation you can use a single IP or
leave the field blank in which case the certificate is valid on all
IPs).
Hope this helps,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOSB9jkRKym0LjhFcEQJ4XgCg2m/m3R5IQ1bmwH9vSWaMztEcIm8An0jj
uDA+XFBmBCdo16YMB5M4oy4Q
=wRuU
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
