cancel
Showing results for 
Search instead for 
Did you mean: 
thelok
Level 7

DNS Redirect and Certificate Common Name

Jump to solution

Hello,

I have a DNS server that redirects certain domains to another domain. For example if someone puts in their url: "original.com" they will be redirected via DNS to "new.com". The problem is that for HTTPS the certificate's common name has "new.com" and so the browser gives the user a certificate warning/error because it does not match the domain "original.com" in the URL.

While I could create a rule to check the URL's domain "original.com" and the destination IP to see if it matches "new.com" and do a WebGateway "Redirect" action, are there other methods for resolving the certificate's common name? For example, having the capability to modify the certificate's common name to "original.com"?

Thanks

0 Kudos
1 Solution

Accepted Solutions
pedro.tavares
Level 10

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

You cannot modify the certificate CN. Also, the redirection is done by http (code 3xx) not by DNS, since in your DNS server you'll have records that points to ip address.

If I wonderstood correctly, you'll need to have one certificate for each server (if is the same server, two ip addressess, each binded to a website), like www.original.com (CN=www.original.com) and www.new.com (CN=www.new.com). Then, you can issue http 301 for permanent redirection or http 307 for temporary redirection.

I don't know exactly how to do URL.Redirect in MWG (never done it), but I believe that would be a better solution than URL.rewrite, since it's important that the URL changes because of CN validation in the web browser.

See this topic, where they talk URL redirection. 

Hope this help on solving or at least finding the right solution.

Regards,

Pedro Tavares

0 Kudos
6 Replies
McAfee Employee

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

I'm struggling to see how the DNS redirection causes this problem. Are you saying that the DNS server will give the IP of "new.com" when it see's a request for "original.com"?

I'm also struggling to understand how MWG is supposed to play a role in this. Is MWG a forward or reverse proxy? Do you own "original.com" and "new.com"?

Best Regards,

Jon

0 Kudos
thelok
Level 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Yes, the DNS server will give the IP of "new.com" when it sees the request for "original.com". The MWG is a forward proxy and we do not own "original.com". The reason for the redirect is that we have some DNS level blocking of malware/bad sites  -- so when someone goes to a bad site that we have internally blocked then we want to redirect them to an internal site we own.

I know we can do this interaction directly in MWG but can MWG handle this situation of DNS redirection?

0 Kudos
McAfee Employee

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

On MWG this would be solved by blocking the IP address of "new.com". MWG will then issue the certificate correctly for "original.com".

Would this work? Or do you want the user to see the content of "new.com" instead?

Best Regards,

Jon

0 Kudos
thelok
Level 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi Jon, thanks for replying.

We don't want to block the IP address of "new.com", we just want to redirect users that try to go to "original.com" to "new.com" via DNS redirection.

The problem is that the SSL certificate's "Common Name" is "new.com" but the browser's URL is "original.com", so the browser generates an error/warning. The question is can we have MWG change the Common Name from "new.com" to "original.com" so that the browser doesn't complain? Or is there some other way to handle this?

0 Kudos
pedro.tavares
Level 10

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

You cannot modify the certificate CN. Also, the redirection is done by http (code 3xx) not by DNS, since in your DNS server you'll have records that points to ip address.

If I wonderstood correctly, you'll need to have one certificate for each server (if is the same server, two ip addressess, each binded to a website), like www.original.com (CN=www.original.com) and www.new.com (CN=www.new.com). Then, you can issue http 301 for permanent redirection or http 307 for temporary redirection.

I don't know exactly how to do URL.Redirect in MWG (never done it), but I believe that would be a better solution than URL.rewrite, since it's important that the URL changes because of CN validation in the web browser.

See this topic, where they talk URL redirection. 

Hope this help on solving or at least finding the right solution.

Regards,

Pedro Tavares

0 Kudos
thelok
Level 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Thanks Pedro, I think we may have to resolve to using the Redirect action in MWG.

0 Kudos