Surely they can just use 443 though for SSL which I believe is standard?

How many of their potential business customers will be unable to use that site due to their corporate firewalls?

Mark and I discussed this one earlier. They can't use port 443 because the smartcard backend is on a different server to the reservations backend.

Bad move on the 8443 stuff. This won't be a problem for the vast majority of users as their firewall or proxy is configured accordingly, but for quite a number of workplaces this will be a problem as they will normally allow TCP80 & TCP443 outbound without issue, but block other ports. This can be changed, but I know what would happen if I put in a change request in my company to gain access to the Irish Rail website on port 8443 . . . . it would take forever, the network guys would grumble, it would go to the bottom of the list because it's not business critical, etc . . .

There's a reason that people use ports 80 & 443 as standard - it's because they're, you know, standard.

There are ways of getting around this issue on the Irish Rail side - it just needed a little forethought and planning on their side - change one thing once on their side and not require multiple customers to change something on their side multiple times.

Mark - did you say the full journey is charged at half the price of a return journey in your initial post, or is one leg of the journey charged at half the price of the return, with two legs costing the same as a return ? If it's the same as a return I would have to say it's another opportunity lost - there should be some discount, some incentive, something to encourage users to use it. If it costs the same amount as a cash fare then while some people will move to it to avoid the queue at the ticket office, there will still be a lot of people who don't want to shell out in advance. Give them a discount, even a small one, and I think usage would increase.

z

Each leg of the journey costs half the return fare. So a single from Bray to Connolly costs €2.35 instead of €2.75. A return is the same as the booking office or vending machine fare. This was the same fare structure Veolia adopted when it launched its smartcard, although there has been few to no smartcard fare increases but several standard ticket increases over the intervening years.

A smartcard is currently the best value for people who make odd journeys, single journeys, or journeys to and from different stations. It's also best for people who make 5 or fewer journeys in a 3-day period, or people whose normal return fare is €2.80 and make 9 or fewer journeys in a 7-day period.

There is a project underway for price capping so that smartcard users will only pay the cost of the lowest possible combination of tickets for the journeys they make in a 3-day or 7-day period.

All journeys are priced at half equivalent return fare. So a return journey costs the same.

A significant portion of ticket sales are still singles. A lot of people purchase singles in the morning as they don't know how they will be getting home that evening. A lot of people queue up for returns every morning as well.

Daily and weekly price capping is something we are discussing with Irish Rail. That would go beyond the now famous Oyster card functionality in London which only handles daily capping. Thats the killer function for us as it ensures the lowest fares over a week of use.

The port issue is something we raised with IE, it will be fixed in due course. I have no problem from behind two different corporate firewalls.

When clicking on the "smart card" banner on the home page of irishrail.ie, I get the following:

The address in the address bar is: https://www.irishrail.ie:8443/smartc...nonymousIV.jsf

Is the only way to access this page via the banner or is there a link somewhere else on the website?

Going to www.irishrail.ie/smartcard will take you to the same place, but per the posts above it is unlikely to make a difference for you.

Nope, the same. I thought it might be because I was using Google Chrome, but it's the same for Firefox & Internet Explorer.

The fact that you get an error is not browser-dependent (although the text of the error might be). The error is due to some corporate (and other) firewalls blocking port 8443.

Oh course they can, it's called a load balancer, or simple mod_jk in Apache. We do this all the time.

One is IIS and the other is Apache.

Erm, this is the world of IT - all things are possible. Take it from me that there are multiple ways that this sort of situation could be handled without involving the use of 8443. F'rexample, they could use a different IP address for the second server . . . I doubt very much that they only have a single IP address available

For reference, I am also unable to access the site from my workplace because our firewall configuration does not allow us establish sessions on 8443. Yes, I know Mark can access it.

The IP address behind www.cie.ie belongs to a set of 255 assigned to CIE - http://www.db.ripe.net/whois?form_ty...194.106.151.77

All they need to do is use another one (say 151.78), assign a new hostname (say smartcard.cie.ie) to it, point it to the other server and they're done. Tadaaa. That'll be €15,000 in consultancy fees please.

z

That would require a new SSL certificate.

It's not hard to terminate the SSL connection on one machine and then direct one URL to the IIS server and another to the Apache server. It's fully acceptable to do that under PCI-DSS rules. There's no reason for Irish Rail to adopt the approach they've taken other than laziness.

IIS or Apache doesn't matter, they can both tunnel to each other, in fact I'd assume they'd have an SSL layer at the front (usually a separate hardware device.. doing SSL on a webserver isn't the most efficient use of resources), this then distributes traffic to the various backend presentation layers (usually not under https either)

Anyway, end of tech. chat. There are numerous ways to do it, IE, sort it out.

Yep. It's called ProxyPass on Apache and I believe Application Request Routing on IIS (which I believe they are running on their main irishrail.ie server). See http://www.iis.net/download/ApplicationRequestRouting Pretty trivial to do. Use it all the time on servers in work.

Running on port 8443 is pretty bad IT really.

Also from a security perspective don't think I'd ever expose an Apache Tomcat directly server to the external world as they have done. I'd question whether their infrastructure can handle the load of many thousands of users as this system goes live.

We continue to work with Irish Rail to sort out issues with the system. Several more bugs got squashed today.

We are not privy to the exact setup Irish Rail have, the port issue is an issue we have raised and is a priority issue to solve. The smartcard functions fine without the website, and you can get one from a ticket vending machine anywhere in Dublin.

Just a reminder that bugs and issues with the Smartcards and Smartcard use while commuting go here:
http://www.railusers.ie/forum/showthread.php?t=12317

IT specific issues with the website can stay here on this thread.