Questions[ucc](server)

How many UCC SSL Certificates (or Subject Alternative Name Certificate) can we install on our server? We're looking to whitelabel our app such that those rebranding our web app (potentially 100+ domains) could use their own domain name, rather than a subdomain of our domain.

We're finding that RDG (Remote Desktop Gateway role) and VPN (Remote Access Server role) and Exchange roles do not want to play nice on one Server 2008 R2 machine.

For this reason we've moved to virtualizing them on Hyper-V across two seperate machines, VM#1 and VM#2.

Remote Desktop Gateway and VPN (sstp; Remote Acces Server) are running on Server 2008 R2 Std on VM#1.

We want to virtualize our Exchange on Server 2008 R2 Std to VM#2.

At the moment we only have one IP address. Port 80 and 443 are directed to VM#1. Port 25 is directed to VM#2. We could easily deploy an edge server for exchange on VM#1 and point port 25 to VM#1 as well.

There is no TMG/ISA. No reverse proxy either.

We have a SAN/UCC SSL Certificate from a third party for:

• mail.ourdomain.com
• autodiscover.ourdomain.com
• exchange.ourdomain.local <-- VM running Exchange mailbox and hub transport roles.
• remote.ourdomain.local <-- VPN/RDP access.

We would like to keep VM#1 and VM#2 seperate, as opposed to installing Exchange CAS and Edge roles on VM#1 on top of what we currently have.

Does anyone have advice on how best to accomplish this setup with one IP, and one UCC/SAN cert rather than getting two IPs from our ISP and pointing the second IP to exchange on VM#2?

We are looking to set up a cloud solution for one of our systems, but we need multiple TLD SSL's

• We are only allowed 5 public IP's
• Can't use UCC/Wildcard Certs since each client has own cert and some have different types of certs

I came up with the idea of setting up cloud load balancers for each client requiring SSL, and point the load balancer to our primary web server, on alternative ports...

Client1LoadBalancer -> webserver:444

Client2LoadBalancer -> webserver:445

Client3LoadBalancer -> webserver:446

. . .

ClientNLoadBalancer -> webserver:N

Are there any other approaches or ideas for this to work other than the cloud load balancing approach?

I am thinking about transitioning a number of websites over to using a UC or Multiple Domain SSL certificate.

I guess I'm just wondering what the drawbacks are. So far the only ones I can find are that:

• they're not ideal if you don't want different domains identified with each other.
• because you have only one certificate instead of several, if one certificate gets compromised then it's a greater security risk
• there are some concerns about compatibility with older browsers, as well as some mobile browsers

We don't deal heavily with private information, just info like e-mail, name, organization, etc. We do collect credit card payments but the volume is very small. These certificates would be used mostly for logins.

I need to secure 2 different domains that are both on the same EC2 instance.

Reason: 1 is a sales website. the other is the webapp. Both need to access the same MySQL database.

EDIT

Sales website means the website where users look at my pricing plans, etc and sign up. The webapp is a SaaS web application they have access to AFTER they signed up.

END of EDIT

Problem: the webapp domain needs to be using a wildcard SSL certificate that is already purchased.

the sales website needs to use a standard SSL certificate that is also already purchased.

Someone told me that an EC2 instance can only have 1 Elastic IP address.

And I cannot have more than 1 SSL cert on the 1 IP address.

I found this article http://www.invokemedia.com/setting-up-multiple-ssl-domains-on-amazon-ec2-one-ipport/ on usinbg a UCC certificate to workaround this issue.

But I am not sure if

• a) that will work and I do not wish to unnecessarily spend money and waste it in the end.
• b) it will work with a wildcard cert and standard cert at the same time.
• c) using UCC will accidentally defeat the purposes of SSL access for users.
• d) how to install and use it.
• e) how to go about getting a UCC since I got both SSL certs from GoDaddy.

Another possible solution I can foresee is that I get the webapp hosted on 1 EC2 instance and the sales website hosted on another EC2 instance which of course will double my monthly hosting costs.

then the problem emerges where my programming assumes that both applications need to be on the same server accessing the same MySQL database.

What is the best way out for me - security-wise, reliability-wise, efforts-wise, costs-wise, in descending order of importance?

Things I have learned

• 1 SSL cert to 1 IP:Port not 1 SSL cert to 1 IP
• there is such a thing called UCC SSL cert, not too sure what that means other than it allows you to have SSL for multiple domains at the same time using just 1 IP:PORT
• there is something called ELB Elastic Load Balancer that allows you to overcome having IP on 1 EC2 instance

End of things I have learned