cancel
Showing results for 
Search instead for 
Did you mean: 
thelok
Level 7
Report Inappropriate Content
Message 1 of 7

DNS Redirect and Certificate Common Name

Jump to solution

Hello,

I have a DNS server that redirects certain domains to another domain. For example if someone puts in their url: "original.com" they will be redirected via DNS to "new.com". The problem is that for HTTPS the certificate's common name has "new.com" and so the browser gives the user a certificate warning/error because it does not match the domain "original.com" in the URL.

While I could create a rule to check the URL's domain "original.com" and the destination IP to see if it matches "new.com" and do a WebGateway "Redirect" action, are there other methods for resolving the certificate's common name? For example, having the capability to modify the certificate's common name to "original.com"?

Thanks

1 Solution

Accepted Solutions

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

You cannot modify the certificate CN. Also, the redirection is done by http (code 3xx) not by DNS, since in your DNS server you'll have records that points to ip address.

If I wonderstood correctly, you'll need to have one certificate for each server (if is the same server, two ip addressess, each binded to a website), like www.original.com (CN=www.original.com) and www.new.com (CN=www.new.com). Then, you can issue http 301 for permanent redirection or http 307 for temporary redirection.

I don't know exactly how to do URL.Redirect in MWG (never done it), but I believe that would be a better solution than URL.rewrite, since it's important that the URL changes because of CN validation in the web browser.

See this topic, where they talk URL redirection. 

Hope this help on solving or at least finding the right solution.

Regards,

Pedro Tavares

6 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

I'm struggling to see how the DNS redirection causes this problem. Are you saying that the DNS server will give the IP of "new.com" when it see's a request for "original.com"?

I'm also struggling to understand how MWG is supposed to play a role in this. Is MWG a forward or reverse proxy? Do you own "original.com" and "new.com"?

Best Regards,

Jon

thelok
Level 7
Report Inappropriate Content
Message 3 of 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Yes, the DNS server will give the IP of "new.com" when it sees the request for "original.com". The MWG is a forward proxy and we do not own "original.com". The reason for the redirect is that we have some DNS level blocking of malware/bad sites  -- so when someone goes to a bad site that we have internally blocked then we want to redirect them to an internal site we own.

I know we can do this interaction directly in MWG but can MWG handle this situation of DNS redirection?

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

On MWG this would be solved by blocking the IP address of "new.com". MWG will then issue the certificate correctly for "original.com".

Would this work? Or do you want the user to see the content of "new.com" instead?

Best Regards,

Jon

thelok
Level 7
Report Inappropriate Content
Message 5 of 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi Jon, thanks for replying.

We don't want to block the IP address of "new.com", we just want to redirect users that try to go to "original.com" to "new.com" via DNS redirection.

The problem is that the SSL certificate's "Common Name" is "new.com" but the browser's URL is "original.com", so the browser generates an error/warning. The question is can we have MWG change the Common Name from "new.com" to "original.com" so that the browser doesn't complain? Or is there some other way to handle this?

Re: DNS Redirect and Certificate Common Name

Jump to solution

Hi thelok,

You cannot modify the certificate CN. Also, the redirection is done by http (code 3xx) not by DNS, since in your DNS server you'll have records that points to ip address.

If I wonderstood correctly, you'll need to have one certificate for each server (if is the same server, two ip addressess, each binded to a website), like www.original.com (CN=www.original.com) and www.new.com (CN=www.new.com). Then, you can issue http 301 for permanent redirection or http 307 for temporary redirection.

I don't know exactly how to do URL.Redirect in MWG (never done it), but I believe that would be a better solution than URL.rewrite, since it's important that the URL changes because of CN validation in the web browser.

See this topic, where they talk URL redirection. 

Hope this help on solving or at least finding the right solution.

Regards,

Pedro Tavares

thelok
Level 7
Report Inappropriate Content
Message 7 of 7

Re: DNS Redirect and Certificate Common Name

Jump to solution

Thanks Pedro, I think we may have to resolve to using the Redirect action in MWG.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community