I have environment like this :
There is 1 Web server handle 3 host example : my.abc.com, go.abc.com and to.abc.com ( this server just have 1 public IP and 1 local IP.)
I just want to secured the my.abc.com via SA ( if can, this my.abc.com will no longer publish to internet/outside), the others host is not. So for PoC i configured 1 new public IP mapping in FW to Local IP of SA and configured in SA when user login through SA the web page my.abc.com will show up. it works fine.
the issue is : when i access the new pubic IP and login through SA, it takes much time to show up the my.abc.com page around 45-50 minutes. i already make sure this is not about internet connection, because when i accessed my.abc.com (still publish in internet) directly from internet, the page is show up faster than through SA.
any idea what is the cause this? is it because the rewriting web feature in SA that makes longer time?
Really need help.
Have you tried adding a host entry on the SA for the host you want to publish internally to the local IP of the server
Thanks for your question.
yes, i have tried adding host entry in SA for domain my.abc.com with the local IP, but still the same.
is it have to remove DNS IP in Network configuration when adding this host entry in SA?
Host file entry takes precedence over DNS so you need not remove the dns entry,I suspect the rewrite engine is taking long time to rewrite the site as maybe the site is heavily scripted
You can test passthrough proxy and see if that works out better
For test purposes, you can add a manual host entry with the PTP virtula hostname mapped to the external public IP that users use to connect to the SA externally
I read on PTP document that you give. There is rewrite feature. is it the same with the rewrite feature in role configuration?
if this is because the rewrite fature on SA makes taking longer time. Is it any different using rewrite feature in role and rewrite feature in PTP?
Now i use one new ip public for SA (NAT in Firewall to SA local IP), not publish to external domain yet. So i have to use PTP SA port method, right?
PTP does minimal rewrite but uses a different engine i.e PTP engine but yes rewriting method rewrites all web content while PTP does minimal rewrite
If you configure a backend hostname like abc.test.com with PTP, that applies to every role and PTP configuration is not role specific
I did not understad what you meant by one new public IP, how many public's IP's are NAT'ed to your SA external port IP or your internal port interface IP(if you only have intrenal port configured)
You need only one public IP NAT'ed to your SA internal interface, a second public IP can be used to NAT to a virtual port on the SA if you need to provide multiple URL's to users to access the SA
Yes, you can test if PTP works first by adding a host entry on the client PC with the PTP virtual hostname mapped to the public IP used by users to access the SA ,configure PTP with hostname method for this test
If PTP works reliably, you can request for the high port between 11000-11099 to be open on the firewall to the external interface of the SA and configure PTP based on port
Keep the public IP for the web server aside, we are going to access the SA using its public IP , users are going to authenticate to the SA and then access the backend resource using the rewriting feature or PTP feature
When you said "I configured 1 new public IP mapping in FW to Local IP of SA"
Are you mapping the public IP of the webserver in the FW to local IP of SA?
the topology like this:
Internet ----------------------Firewall -------------------Switch -------------- SA and web server
in SA, i just using internal port with local IP (not use external port). Public IP for this SA is in Firewall.
so for this PoC, user from internet access to public IP SA, after login through SA, user can accees the web application.
So based on your suggestion is, adding host entry in hostfile in PC user from internet accessing domain that pointing to SA public IP, am i right?
for this test, i have to open port 11000-11099 in Firewall?
For just testing if PTP will work well or not for the resource, you need not open the port between 11000-11099
We can add a host entry on client PC mapping SA public IP to PTP virtual hostname and configure PTP based on hostname and test.
If that works, we can open the high port and put it in production
The reason PTP configuration using port is recommended is because if you do it by hostname, you will need to create a Certificate for that PTP virtual hostname
Thank you for your explaination.
regarding of what your said : "The reason PTP configuration using port is recommended is because if you do it by hostname, you will need to create a Certificate for that PTP virtual hostname"
So based on the guide of PTP there are 2 methods doing PTP in SA : Via an SA port and Via external DNS resolution.
So do you mean using Via port method in SA is better recomended then using Via external DNS resolution ?