Multi domain wildcard cert on IIS only works when I'm connected via VPN

Question

I have an IIS 7.5 server which, in order to access via Remote Desktop, I have to connect to Cisco VPN

It has several with several sites on it e.g.

site1
 bindings: www.domain1.com, domain1.com

site2
 bindings: www.domain2.com, domain2.com

site3
 bindings: sub1.domain2.com, sub2.domain2.com

I have a multi domain, wildcard SSL certificate which works for *.domain1.com and *.domain2.com which I have 'friendly named' to * and set up the ssl bindings using appcmd (see here - ihave tried both * and explicit IP address)

The https versions of the site can be accessed when I am connected to the VPN, but when I access the sites from any computer that is not connected to the VPN, the https sites time out.

I had thought this was that there was maybe a firewall on 443, but I have checked with the ISP and am told this is not the case (although I would like to check this - whats the best way to confirm?)

When connected to the VPN, pinging the site gives 192.168.100.20, which is the network adapter, when it's not connected it's 85.blah.blah.blah. The IIS logs record all traffic as coming in on 192.168.100.20

Any ideas on checking the firewall, or on what else it could be?

Answer 1

You're likely dealing with a firewall issue and nothing related to the SSL cert itself. If you want to talk to the server from the Internet you need to validate the path of a https packet through the NAT firewall that the ISP runs and then to your server.

Can you (from a computer outside the firewall and VPN) "telnet www.domain1.com 443" and it say connected?

Can your ISP test and validate that Internet packets to 443 on that public IP (85.x.x.x) get to the server?

Can you look at the IIS logs while trying https from Internet and see log entries?

If everything above checks out OK then I would remove the 2nd and 3rd bindings and sites, and just try with one wildcard on one site. That's the simplest config. Then add the 2nd site and test, etc.