Here is the situation...

My company are using Window Server 2003 and of course there is a Firewall.
In that Firewall there is a port that will be pointing to another server.
The main server has a web based interface for people to select which application they want to lunch!

The question is, in the web based interface the address will be look like this:
http://SERVERNAME:8989/esales/login.jsp
You see that displaying the port number is not a good way security wise
How am I suppose to hide this from being display to the user?

Thank you.

I guess you could add an entry into the hosts file on the computer and have the port removed.

I don't quite see, why showing the port number should be a security issue. Every network connection has to access some port. And that port must be known on the client side. By default HTTP uses port 80. If you want to change that default behaviour you need to specify it somewhere on the client computer.

The alternative is to configure your server to map a subdomain to a specific port number. So your URL would look like this:
http://esales.SERVERNAME/esales/login.jsp
As far as i know you can use mod_rewrite when using apache web server to achieve this.

That would make the URL look nicer, but it wouldn't make any difference for the security.

Well, Holger suggestion will be ok if the user access the file from local but the problem is this system will be access from outside as well.
So thats why the firewall will be the link between outside world and the inside system

If you access the link from local, the link will be like this: http://SERVERNAME/esales/login.jsp
If it is from outside, the link will be like this: http://SERVERNAME:9898/esales/login.jsp
So as you can see, the firewall will route the port 9898 to the appropriate server (IP Address) inside the organization.

Any suggestion guys?

Oh, I now understand how this could be a security hole. If it were Linux I could help you configure your http.conf file to fix that issue. However, since you are Windows it's up to you. I never worked with Windows Servers just the OS.

Oh please Jacob...! Please help me please! LOL

This seems to me a configuration problem of the firewall and not of the server itself.

If I understand this correctly, the firewall receives requests on port 9898 from the outside. Requests on that port are then mapped to the other server. I understand that internally that server uses the standard port 80 to receive requests (that's why you can use http://SERVERNAME/esales/login.jsp inside the organization).

For requests coming from the outside, the firewall has to somehow know where to map the request. In your case this is done via the port number. It could probably be done using a subdomain as well.

I still don't see the real security issue. But I am not a security expert.
I access a number of services through non-standard port numbers. Could someone please explain.

Ok, anyone that want to access the system in the server from outside will be using internet.
My company uses a service, a third party service which will route the address to our very own server.
The address given from the service will be pointing to our firewall using port 80, so in our firewall any incoming port (port 80), it will be redirected to a another server (IIS Server) which contains the system main interface (html page) that have the link to the "System".

Ok... in that html page, there is a link something like this: http://SERVICE_NAME:9898/esales/login.jsp to access the "System" login page.
(which can be access locally by just typing: http://SERVERNAME:9898/esales/login.jsp)

That link will go to the third party service and link back to our firewall with that particular port number "9898" which will rerouted by the firewall to the "System" login page.
The problem is that the link itself contain the port number that will be viewable by the user if they hover over the link.
That is what I am worried about. Exposing the port number to the user.



How to do that with subdomain?
Can you explain a bit more?
Cheers...

OK. I understand that the port number will be exposed to the user. But where is the security issue in that? The client must know the port number to send the request to in any case. The only difference is that it's not the default port number 80. As long as you don't have an insecure service listening to that port

I am using a hosting service, where the different control panels are all mapped to different port numbers. They don't have any problem with exposing the port numbers to the user.



Well that depends. You might be able to configure subdomains with your third party service provider. Or you might be able to configure it on your firewall. I'm no expert on this and without looking at the exact configuration I wouldn't be able to tell.

I ask help on this matter just because my boss said it is a security issue so as what Jacob said earlier
Jacob, can you explain this to me to? I mean the security part

Cheers...

I agree with holger, I don't consider this a security issue.

You're running a public HTTP service on a non-standard port. How is it any more dangerous for people to know that your HTTP service is on 8989 than it is for them to know that your HTTP is on standard port 80?

Well my boss insist me to "hide" them