I'm struggling to see how the DNS redirection causes this problem. Are you saying that the DNS server will give the IP of "new.com" when it see's a request for "original.com"?
I'm also struggling to understand how MWG is supposed to play a role in this. Is MWG a forward or reverse proxy? Do you own "original.com" and "new.com"?
Yes, the DNS server will give the IP of "new.com" when it sees the request for "original.com". The MWG is a forward proxy and we do not own "original.com". The reason for the redirect is that we have some DNS level blocking of malware/bad sites -- so when someone goes to a bad site that we have internally blocked then we want to redirect them to an internal site we own.
I know we can do this interaction directly in MWG but can MWG handle this situation of DNS redirection?
On MWG this would be solved by blocking the IP address of "new.com". MWG will then issue the certificate correctly for "original.com".
Would this work? Or do you want the user to see the content of "new.com" instead?
Hi Jon, thanks for replying.
We don't want to block the IP address of "new.com", we just want to redirect users that try to go to "original.com" to "new.com" via DNS redirection.
The problem is that the SSL certificate's "Common Name" is "new.com" but the browser's URL is "original.com", so the browser generates an error/warning. The question is can we have MWG change the Common Name from "new.com" to "original.com" so that the browser doesn't complain? Or is there some other way to handle this?
You cannot modify the certificate CN. Also, the redirection is done by http (code 3xx) not by DNS, since in your DNS server you'll have records that points to ip address.
If I wonderstood correctly, you'll need to have one certificate for each server (if is the same server, two ip addressess, each binded to a website), like www.original.com (CN=www.original.com) and www.new.com (CN=www.new.com). Then, you can issue http 301 for permanent redirection or http 307 for temporary redirection.
I don't know exactly how to do URL.Redirect in MWG (never done it), but I believe that would be a better solution than URL.rewrite, since it's important that the URL changes because of CN validation in the web browser.
See this topic, where they talk URL redirection. Redirect a URL
Hope this help on solving or at least finding the right solution.
Thanks Pedro, I think we may have to resolve to using the Redirect action in MWG.