We are being forced to install a component of a system that has a strictly HTTP login method. Vendor has stated it was 'Designed to be an internal application and not designed for internet access." like LAN app are somehow immune to credential theft, etc... Here not there, they will not budge, and I have no choice because we have no alternative at the moment. The service is on the other side of a VPN to make it worse, and I only control one side's networking.
Is there a service out there that would allow me to designate an IP on my network to impersonate the remote server, where an HTTPS session could be established, and have that system exclusively communicate with the remote?
I know this would only encrypt the traffic to and from my clients, but I could then firewall the remote IP to where communication could only come from my one host, and that reduces my overall places to intercept data form n<>1 to 1.
I know network devices such as Junpier's SSL gateway devices do something similar, you log into a web portal and it "rewrites" all data to and from to sources on the LAN side of the gateway.
Does anything this exist in the software only world?
This sounds a lot like one of the (once?) common use cases for reverse proxies. With something like HAProxy, Nginx or the Apache web server, you can try setting up an HTTPS listener with a valid certificate for the DNS name you want to present. Then set up a backend/reverse proxy configuration that connects to the correct HTTP port for the actual service, without any TLS configuration.
You’ll end up with secure connections from your clients to your reverse proxy, and insecure connections from your reverse proxy via the VPN to the server. If you can configure a VPN straight from the reverse proxy, your users’ credentials will be kept secure all the way to the provider’s apparently invincible network infrastructure.