Re: [FW-1] Routing a single public IP to multiple servers using subdomai

Subject:	Re: [FW-1] Routing a single public IP to multiple servers using subdomains
From:	Crist Clark <crist.clark AT GLOBALSTAR DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 28 Jan 2005 15:07:07 -0800

Asendorf, John wrote:

I'm attempting to help out network adminstrator figure out how, or if, we can 
rout traffic coming to a single public IP to two different servers inside our 
network by subdomain.  For instance, we want www.site.com and www2.site.com to 
have the same A record which send requests to the same public IP address yet, 
once they come to the firewall they are parsed to two different internal 
servers, 10.80.10.3 and 10.80.10.6 (for instance).


Please don't write your paragraphs on one line.

A few problems here.

First off, there is no 100% sure way to do this. In HTTP 1.0, a host
could send,

       GET / HTTP/1.0

To the external, public IP address. To which host do you send this?
There is absolutely no way to know which virtual site the user might
be interested in. That's perfectly valid HTTP. The "Host:" header is
not required in HTTP 1.0.

Now most of the time you will get a "Host:" line for HTTP 1.0 and it
is required for 1.1, which makes up the vast majority of HTTP traffic.
However, you still need an application layer proxy to do this. Consider
when the firewall gets a SYN to the public IP address in question.
It cannot forward the SYN until it gets the "Host:" header. It has to
complete the TCP connection itself.

AFAIK, your basic FW-1 does NOT do this kind of proxying. If anyone here
does know how to get FW-1 to do any kind of proxying, I'd love to hear
about it 'cause I have some other ways I would like to use it (blocking
and allowing HTTP clients to certain URLs).
--
Crist J. Clark                               crist.clark AT globalstar DOT com
Globalstar Communications                                (408) 933-4387

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited.  If you have
received this e-mail in error, please contact postmaster AT globalstar DOT com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Routing a single public IP to multiple servers using subdomains, Asendorf, John Re: [FW-1] Routing a single public IP to multiple servers using subdomains, Crist Clark <= Re: [FW-1] Routing a single public IP to multiple servers using subdomains, Cecoban, S. A. de C. V. - Romey Valadez Re: [FW-1] Routing a single public IP to multiple servers using subdomains, Demetrio Leon Guerrero (DLG)

Previous by Date:	Re: [FW-1] NAT and VPN, Cecoban, S. A. de C. V. - Romey Valadez
Next by Date:	Re: [FW-1] Changing the password on the Policy Editor, Jeffrey Engle
Previous by Thread:	[FW-1] Routing a single public IP to multiple servers using subdomains, Asendorf, John
Next by Thread:	Re: [FW-1] Routing a single public IP to multiple servers using subdomains, Cecoban, S. A. de C. V. - Romey Valadez
Indexes:	[Date] [Thread] [Top] [All Lists]