poert redirection https to http

Hello Question is I have PIX firewall 501 We have smaill web application based on port 80 (http) Can i redirect ports on firewall so people will type https://xxxxxxxxxx and it will redirect to http://xxxxx and users will thint that is https not http If not what should i buy It is impossible to change this port :(

Thank you Robert

Reply to
Robert
Loading thread data ...

I have at home 2xCisco 3640 Router, 5x2620 Cisco Router, 1x Cisco 2610 Router, Netscreen Firewall 5XP, and Netscreen Firewall 25 - can i use 1 od those ?

Robert

Reply to
Robert

Robert schrieb:

This is technically possible but I cannot imagine any legitimate or even usefull use.

If you need SSL/TLS to public users, you'll may want request a valid server certificate from a Certificate Authority.

This isn't a matter of any router/firewall in between the webserver and the browser. It's a matter of the Trust chain of the server's presented certificate.

Reply to
Uli Link

This application has to be on 80 it is impossible to be https :(

Reply to
Robert

Users won't usually type http://blah or https://blah, they will just type the URL. Even if they did type

formatting link
and they were redirected to a http site, no body is going to be fooled by this. There will be no SSL certificate to accept!

What you are trying to do serves no purpose.

Chris.

Reply to
chris

OK we have our own tracker system Users wants to use https instead of http - but problem is it is hardcoded - links are hardcoded - it is impossible to use https at the moemt - they will have to recompile whole code and it may take up to 6 months

Thanks - i will tell them - NO WAY!!!!!! change code

Robert

Reply to
Robert

Robert schrieb:

The difference between http: and https: is more than just a different default tcp port. So it won't work, even if you translate the port (which can be easily accomplished by a static NAT in any of you Cisco routers). The https: client will wait for cipher negotiation of SSL/TLS and a http: server won't answer the correct way regardless of it's default listener port.

Reply to
Uli Link

Are the users inside or outside of where the firewall would go? Is the web server inside or outside?

When you say that "links are hardcoded", do you mean that the web-server sends back links in http://hostname format?

Where, exactly, is the use of port 80 hard-coded?

I am confused because in one place you say it is hardcoded but in another place the user would have the freedom to type https://something

Would it be possible for the user to type https://hostname:80 ? Is it possible for the web server to send back its links in that form? Is it possible for you to reconfigure the web server to use SSL on port 80?

https does not need to be on port 443 only: it can run over any port, with 443 being the default -- but all of the links would have to include the port number.

Reply to
Walter Roberson

Hi Just my 2c

There is a Cisco box named SCA-something (Security Content Accelerator), which is, actually re-branded SonicWall SSL. The box can strip SSL and forward plain HTTP, but most importantly (in your case), it can REWRITE URL (or so they claim in datasheet).

Roman Nakhmanson

Reply to
Roman Nakhmanson

Hi Robert,

I suspect what you are saying is that either the Server (on port 80) or the Client S/W (on the user machine) is custom S/W (or possibly BOTH!!!) and set up ONLY to use HTTP on port 80, and you need a SECURE transport between them.

If the desire is simply to encrypt the transport, then one way to do this would be to implement a simple (sic) VPN environment between them, until the original S/W can be modified.

Alternatively, if the SERVER end is a (custom) Web application that CANNOT be easily configured to work as HTTPS, then depending on the CLIENT needs, you may be able to set up something like Apache ahead of that Server to handle the HTTPS and Apache could re-direct the HTTPS to HTTP on Port 80 on the Target Server. That only leaves the Client end to worry about and if that is a standard Web Browser then you should be fine.

Cheers................pk.

Reply to
Peter

Hi,

try "SSG" (Service Selection Gateway) on cisco-documentation-center.

best regards

Peter

Reply to
Peter Kußman

Hi,

Software based SSL tunnel:

formatting link
Install that on your server - it can receive the inbound HTTPS connections, decrypt, and pass the unencrypted payload into the local HTTP listener. This is effectively a functionally limited software version of the SonicWALL (and Cisco) SSL Offloader.

joe

Reply to
joelevy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.