Bonjour,
Je dois créer un serveur web sous iis avec certificat https, d’habitude cela ne me pose pas de problèmes, par contre cette fois je ne pourrais pas utiliser les ports 443 et 80 car ils sont déjà utiliser par mon serveur de messagerie, est-ce possible d’utiliser d’autre ports ? y a t’il une documentation svp ?
Merci d’avance
I apologize in advance for my lack of French.
Without knowing specific details about your network, it is difficult to give relevant and adequate advice.
That said, I can give some general advice here and also try to answer your question first.
If you are going to get/renew LE certs you will need HTTP on port 80 and from there it can be redirected to HTTPS on port 443 or to another system but must always remain on HTTP/80 or HTTPS/443. No other port or protocol combination will be acceptable.
That said, there is one other authentication method: DNS
Via DNS you can obtain a cert without having to deal with HTTP authentication requests.
DNS authentication is a bit more complicated; for automation it will require an ACME client, and a DNS service provider, that supports DNS APIs
Once you have a cert you can always use it any way you like.
The trick is in getting the cert and also automating the renewals.
If you only have one IP, you may be able to “share” the IP:80 & IP:443 via a web proxy.
Hello, thank you for your response
is it possible to redirect port 443 to 445 and 80 to 85 for example for the website, can the certificate be generated?
thank
sebastien
Thank you, I don't have a web proxy, otherwise I need to request a 2nd fixed ip just for the web server or modify ports 443 and 80 of the mail server (I don't know if this is possible easily)
That sounds overly complicated and a potentially unnecessarily expense.
What O/S and web server does your MAIL system use?
[perhaps you can use the MAIL system as a web proxy…]
I use exchange 2013 on windows 2012 r2, the exchange server will not be in the same domain controller as the web server but they will be in the same ip range
Thank
Sébastien
I don’t have the expertise with IIS to help you with configuring it as a web proxy.
But Windows 2010r2 can run multiple web servers (just not on the same IP & port).
So if you are able to load NGINX or Apache (for Windows) on any internal system, we can use either of those to manage all inbound connections to your single external IP (and port 80 and 443).
From there you can then proxy to IIS, Exchange, and any other web enabled internal system (regardless of their internal port numbers).
The simplest requirement is to issue them all unique identifiers (FQDNs) from a real domain you control.
In the web world that is referred to as “SNI”. It is the “technology” that allows web hosting companies to serve thousands of domains from the exact same IP and port.
Also, Windows 2012r2 can run HyperV.
In that you can spin up any type of system - Linux, Mac, AIX, more Windows.
So you can have a dedicated system for web proxy.
[you just need enough resources - memory/CPU/disk for the additional system]
Hello, Thank you for your answer, for example for exchange server has a fixed ip with for external link webmail.domain.com, the new web server will have for link webserver1.domain.com, is that what you are talking about?
Yes, they would all need their individual names.
All the names will need to resolve to the same (external) IP.
The router will then have to be changed to forward ports 80 and 443 to the proxy.
From there the proxy will connect users to their named destinations.
Kind of like an internal PBX switch works.
All external calls can come to one external number, then they key in a specific extension number and connect to one of many employees within the same building.
The proxy becomes that PBX system.
On my router I can put for example port 443 -> IP Exchange and also port 443 -> IP Web server, this would not be enough since I do on my domain provider webmail.domaine.com and webserver.domaine.com ? in the dns of my server also I have webmail.domain.com -> ip lan exchange and also I would have webserver.domain.com -> ip lan webserver
That is not possible.
It is one to one (only):
External.IP:80 > single.internal.IP:some.port.number
External.IP:443 > single.internal.IP:some.other.port.number
Not:
External.IP:80 > internal.IP.one:some.port.number
External.IP:80 > internal.IP.two:some.port.number
External.IP:443 > internal.IP.one:some.port.number
External.IP:443 > internal.IP.two:some.port.number
It goes this way:
External.IP:80 > proxy.IP:some.port (let’s say 80)
External.IP:443 > proxy.IP:some.other.port (let’s say 443)
then depending on the name in the URL…
One of these will happen (per each connection request):
Proxy > Exchange:80
or
Proxy > Exchange:443
or
Proxy > Web.Server:80
or
Proxy > Web.Server:443
or
Proxy > any.other.internal.system:[1-65535]
So in total it would look like this:
Internet client > “web.server” > router > proxy > web.server
Internet client > “Exchange” > router > proxy > exchange.serer
Internet client > “NAS” > router > proxy > nas.server
Internet client > “FTP” > router > proxy > ftp.server
Internet client > “MUSIC” > router > proxy > music.server
…
[limited only to your imagination]
no other choice than you proxy? can’t change the port of lets encrypt? or exchange?
thanks again
Yes, you can use additional external IPs (one would be required to cover each port overlap).
IP1:80 > IIS
IP2:80 > Exchange
IP1:443 > IIS
IP2:443 > Exchange
IP3:443 > NAS.server
IP4:443 > music.server
...
There are only three choices: HTTP, HTTPS(APLN), DNS.
No other ports are allowed for authentication.
Yes, you can change the port of exchange.
In your current situation (only 1 external IP and no "proxy"), you can only assign each external port to one specific internal device.
So you are forced to do something like:
21 > ftp.server
22 > sftp.server
80 > IIS
81 > Exchange
443 > IIS
444 > Exchange
445 > NAS.server
446 > music.server
…
Using each port only once.
Now that may appear to resolve your problem.
But in 90 days all certs will be expired and you will be forced to renew them.
Those renewals can only be done via HTTP/HTTP/DNS.
So from that list...
Only IIS will automatically succeed to renew.
And that is where the real problem is - automation.
Hello, thank you for your return, so I put a new router, I had a new fixed ip, I generated the certificate, on the other hand is it obliged to leave port 80 open because I have IIS default open on this port and I don’t like that
Thank
Sébastien