6 Replies Latest reply on Feb 10, 2015 1:29 PM by thelok

    DNS Redirect and Certificate Common Name

    thelok

      Hello,

       

      I have a DNS server that redirects certain domains to another domain. For example if someone puts in their url: "original.com" they will be redirected via DNS to "new.com". The problem is that for HTTPS the certificate's common name has "new.com" and so the browser gives the user a certificate warning/error because it does not match the domain "original.com" in the URL.

       

      While I could create a rule to check the URL's domain "original.com" and the destination IP to see if it matches "new.com" and do a WebGateway "Redirect" action, are there other methods for resolving the certificate's common name? For example, having the capability to modify the certificate's common name to "original.com"?

       

      Thanks

        • 1. Re: DNS Redirect and Certificate Common Name
          Jon Scholten

          Hi thelok,

           

          I'm struggling to see how the DNS redirection causes this problem. Are you saying that the DNS server will give the IP of "new.com" when it see's a request for "original.com"?

           

          I'm also struggling to understand how MWG is supposed to play a role in this. Is MWG a forward or reverse proxy? Do you own "original.com" and "new.com"?

           

          Best Regards,

          Jon

          • 2. Re: DNS Redirect and Certificate Common Name
            thelok

            Yes, the DNS server will give the IP of "new.com" when it sees the request for "original.com". The MWG is a forward proxy and we do not own "original.com". The reason for the redirect is that we have some DNS level blocking of malware/bad sites  -- so when someone goes to a bad site that we have internally blocked then we want to redirect them to an internal site we own.

             

            I know we can do this interaction directly in MWG but can MWG handle this situation of DNS redirection?

            • 3. Re: DNS Redirect and Certificate Common Name
              Jon Scholten

              Hi thelok,

               

              On MWG this would be solved by blocking the IP address of "new.com". MWG will then issue the certificate correctly for "original.com".

               

              Would this work? Or do you want the user to see the content of "new.com" instead?

               

              Best Regards,

              Jon

              • 4. Re: DNS Redirect and Certificate Common Name
                thelok

                Hi Jon, thanks for replying.

                 

                We don't want to block the IP address of "new.com", we just want to redirect users that try to go to "original.com" to "new.com" via DNS redirection.

                 

                The problem is that the SSL certificate's "Common Name" is "new.com" but the browser's URL is "original.com", so the browser generates an error/warning. The question is can we have MWG change the Common Name from "new.com" to "original.com" so that the browser doesn't complain? Or is there some other way to handle this?

                • 5. Re: DNS Redirect and Certificate Common Name
                  pedro.tavares

                  Hi thelok,

                   

                  You cannot modify the certificate CN. Also, the redirection is done by http (code 3xx) not by DNS, since in your DNS server you'll have records that points to ip address.

                   

                  If I wonderstood correctly, you'll need to have one certificate for each server (if is the same server, two ip addressess, each binded to a website), like www.original.com (CN=www.original.com) and www.new.com (CN=www.new.com). Then, you can issue http 301 for permanent redirection or http 307 for temporary redirection.

                   

                  I don't know exactly how to do URL.Redirect in MWG (never done it), but I believe that would be a better solution than URL.rewrite, since it's important that the URL changes because of CN validation in the web browser.

                   

                  See this topic, where they talk URL redirection.  Redirect a URL

                   

                  Hope this help on solving or at least finding the right solution.

                   

                  Regards,

                   

                  Pedro Tavares

                  • 6. Re: DNS Redirect and Certificate Common Name
                    thelok

                    Thanks Pedro, I think we may have to resolve to using the Redirect action in MWG.