Path-Based Multi-Homing

Path-based multi-homing uses the same DNS name for all resources, but each resource or resource group must have a unique path appended to the DNS name. For example, if the DNS name is test.com, append /sales to test.com. When the user enters www.test.com/sales, Access Gateway resolves the URL to the sales resource group.

Figure 2-17 Using a Domain Name with Path Elements

Path-based multi-homing has the following characteristics:

  • It is considered to be more secure than domain-based multi-homing, because some security experts consider wildcard certificates less secure than a certificate with a specific hostname.

  • Each resource or group of resources must have a unique starting path.

  • JavaScript applications might not work as designed if they obscure the URL path. Access Gateway needs access to the URL path, and if it is obscured, the path cannot be resolved to the correct back-end resource.

  • The protected resources for each path-based child come from the parent proxy service.

The following sections explain how to configure path-based proxy services and your network so that Access Gateway can find the correct protected resources:

Configuring the Remove the Path on Fill Option

If the path that is part of the published DNS name (/sales or /apps) is used to identify a resource but is not part of directory configuration on the web server, the path needs to be removed from the URL before the request is sent to the web server. For example, suppose you use the following configuration:

Browser URL Using the Published DNS Name

Web Server URL

http://www.test.com/sales

http://sales4.internal.com/

In this case, the path needs to be removed from the URL that Access Gateway sends to the web server. Access Gateway does not allow you to set up multiple paths to this type of web server, so all pages must have the same authentication requirements.

If the path in the published DNS name is a path on the web server, the path needs to be passed to the web server as part of the URL. For example, suppose you use the following configuration:

Browser URL Using the Published DNS Name

Web Server URL

http://www.test.com/sales

http://sales4.internal.com/sales

Because the path component specifies a directory on the web server where the content begins, you need to select to include the path. Access Gateway then includes the path as part of the URL it sends to the web server. This configuration allows you to set up multiple paths to the web server, such as

  • sales/payroll

  • sales/reports

  • sales/products

Such a configuration also allows you to set up different authentication and authorization requirements for each path.

Configuring the Host Header Option

When you create path-based proxy services and also enable the Remove Path on Fill option, you need to know what types of links exist on the web servers. For example, you need to know if the sales web servers in Figure 2-17 have links to the app web servers or to the test web servers. If they don’t, you can set the Host Header option to either Forward Received Host Name or to Web Server Host Name. However, if they do contain links to each other, you need to set the Host Header option to Web Server Host Name and specify a DNS name for the web server in the Web Server Host Name option. Access Gateway needs a method to distinguish between the web servers other than the path, because after the path is removed, all the web servers in Figure 2-17 have the same name: www.test.com.

If you select to use the Forward Received Host Name option for a path-based service, you might also need to add entries to the Additional DNS Name List for the rewriter. For more information, see Determining Whether You Need to Specify Additional DNS Names.

Preparing for Path-Based Multi-Homing

Before configuring Access Gateway, you need to complete the following:

  • Create the published DNS names with paths for public access to the back-end resources. For example, the table below uses test.com as the domain name. It lists three published DNS names (two with paths), the IP address these names resolve to, and the web servers that they are going to protect:

    Published DNS Name

    Access Gateway IP Address

    Web Server Host Name

    Web Server IP Address

    test.com

    10.10.195.90:80

    test.internal.com

    10.10.15.10

    test.com/sales

    10.10.195.90:80

    sales.internal.com

    10.10.15.20

    test.com/apps

    10.10.195.90:80

    apps.internal.com

    10.10.15.30

  • Configure your DNS server to resolve the published DNS names to the IP address of Access Gateway.

  • Set up the backend web servers. If they have links to each other, set up DNS names for the web servers.

  • Create one proxy service that uses test.com as its published DNS name and two path-based proxy services.

    To create a path-based multi-homing proxy service, see Creating a Second Proxy Service, and select path-based for the multi-homing type.