«

Can I use my PIX to forward any HTTP request to HTTPS?

You can use it to change the port number, but what your talking about
is a change in protocol. You'll need something like a proxy to do that.

I can do it with a script - but I was just curious if I could do the
same or similar with the firewall.

Could I change reqeusts going to tcp80 to tcp443?

In article <. com>,
J1C <> wrote:
>I can do it with a script - but I was just curious if I could do the
>same or similar with the firewall.

>Could I change reqeusts going to tcp80 to tcp443?

You can use a PIX to forward nearly any port to nearly any other port
(you can't forward port 0, and there are a couple of reserved ports
for the outside interface IP).

Forwarding a port will not change the protocol, so unless your
tcp 443 server is somehow able to answer plain HTTP queries
that are not wrapped in SSL, you probably aren't going to like
the result...

Note too that you can only forward one port to any given destination
port. You cannot forward port 80 to port 443 -and- have port 443
go straight through. So if your TCP 443 server responds to the
HTTP request with an https:// URL at the same host, unless
you've redirected incoming 443 to something else, you will have
problems.

Couldn't you also configure the "static" line (NAT) with the port
translation (PIX version 6.2 and up, I believe)? Or is this what you
meant already by "forwarding"?

ie: static (inside,dmz) tcp YOURSERVER 80 YOURSERVER 443 netmask
255.255.255.255

Just curious,

Gond

Walter Roberson wrote:
> In article <. com>,
> J1C <> wrote:
> >I can do it with a script - but I was just curious if I could do the
> >same or similar with the firewall.
>
> >Could I change reqeusts going to tcp80 to tcp443?
>
> You can use a PIX to forward nearly any port to nearly any other port
> (you can't forward port 0, and there are a couple of reserved ports
> for the outside interface IP).
>
> Forwarding a port will not change the protocol, so unless your
> tcp 443 server is somehow able to answer plain HTTP queries
> that are not wrapped in SSL, you probably aren't going to like
> the result...
>
> Note too that you can only forward one port to any given destination
> port. You cannot forward port 80 to port 443 -and- have port 443
> go straight through. So if your TCP 443 server responds to the
> HTTP request with an https:// URL at the same host, unless
> you've redirected incoming 443 to something else, you will have
> problems.

In article <. com>,
Gond <> wrote:
>Couldn't you also configure the "static" line (NAT) with the port
>translation (PIX version 6.2 and up, I believe)? Or is this what you
>meant already by "forwarding"?

>ie: static (inside,dmz) tcp YOURSERVER 80 YOURSERVER 443 netmask
>255.255.255.255

Yes, that is static PAT, and is what I meant by "forwarding"
(a term I used because that is what the original poster used.)

As I indicated earlier, using static PAT does not change the
protocol: it just forwards data unchanged.

Thank you!

Gond

On Thu, 02 Feb 2006 12:05:05 -0800, J1C wrote:

> Can I use my PIX to forward any HTTP request to HTTPS?

since you can't do it thru the pix, you will have to rely on html. write
a simple http web page that does an instant refresh to the https page that
you would rather have users go to.. (remember to open/nat both ports on
firewall)
if by chance your problem has to do with Exchange/OWA, M$ has a KB
article
that covers this specifically.
http://support.microsoft.com/default...-us;555053#kb1

Yes, I used a script to do it - I was just wondering if a PIX could do
something similar.

In article < .com>,
J1C <> wrote:
Please quote context. The people who answer questions here mostly
do not use googlegroups as their primary reading interface, so
they might not be able to see the previous posting (or it might
have expired for them, or it might not have reached them...)

Re-injecting the context:

>On Thu, 02 Feb 2006 12:05:05 -0800, J1C wrote:

>> Can I use my PIX to forward any HTTP request to HTTPS?


>Yes, I used a script to do it - I was just wondering if a PIX could do
>something similar.

You don't need a script for it: just a single static page with
a HEAD element of META http-equivilent set to redirect to the
new page.