Hi Andre,

Have you tried adding a host entry on the SA for the host you want to publish internally to the local IP of the server

Regards,

Jay

Hi Jay,

Thanks for your question.

yes, i have tried adding host entry in SA for domain my.abc.com with the local IP, but still the same.

is it have to remove DNS IP in Network configuration when adding this host entry in SA?

HI Andre,

Host file entry takes precedence over DNS so you need not remove the dns entry,I suspect the rewrite engine is taking long time to rewrite the site as maybe the site is heavily scripted

You can test passthrough proxy and see if that works out better

http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To__PTP.pdf

For test purposes, you can add a manual host entry with the PTP virtula hostname mapped to the external public IP that users use to connect to the SA externally

Regards,

Jay

Hi Jay,

I read on PTP document that you give. There is rewrite feature. is it the same with the rewrite feature in role configuration?

if this is because the rewrite fature on SA makes taking longer time. Is it any different using rewrite feature in role and rewrite feature in PTP?

Now i use one new ip public for SA (NAT in Firewall to SA local IP), not publish to external domain yet. So i have to use PTP SA port method, right?

Hi Andre,

PTP does minimal rewrite but uses a different engine i.e PTP engine but yes rewriting method rewrites all web content while PTP does minimal rewrite

If you configure a backend hostname like abc.test.com with PTP, that applies to every role and PTP configuration is not role specific

I did not understad what you meant by one new public IP, how many public's IP's are NAT'ed to your SA external port IP or your internal port interface IP(if you only have intrenal port configured)

You need only one public IP NAT'ed to your SA internal interface, a second public IP can be used to NAT to a virtual port on the SA if you need to provide multiple URL's to users to access the SA

Yes, you can test if PTP works first by adding a host entry on the client PC with the PTP virtual hostname mapped to the public IP used by users to access the SA ,configure PTP with hostname method for this test

If PTP works reliably, you can request for the high port between 11000-11099 to be open on the firewall to the external interface of the SA and configure PTP based on port

Keep the public IP for the web server aside, we are going to access the SA using its public IP , users are going to authenticate to the SA and then access the backend resource using the rewriting feature or PTP feature

Regards,

Jay

Hi Andre,

When you said "I configured 1 new public IP mapping in FW to Local IP of SA"

Are you mapping the public IP of the webserver in the FW to local IP of SA?

Regards,

Jay

Hi Jay,

the topology like this:

Internet ----------------------Firewall -------------------Switch -------------- SA and web server

in SA, i just using internal port with local IP (not use external port). Public IP for this SA is in Firewall.

so for this PoC, user from internet access to public IP SA, after login through SA, user can accees the web application.

So based on your suggestion is, adding host entry in hostfile in PC user from internet accessing domain that pointing to SA public IP, am i right?

for this test, i have to open port 11000-11099 in Firewall?

Thanks

Hi Andre,

For just testing if PTP will work well or not for the resource, you need not open the port between 11000-11099

We can add a host entry on client PC mapping SA public IP to PTP virtual hostname and configure PTP based on hostname and test.

If that works, we can open the high port and put it in production

The reason PTP configuration using port is recommended is because if you do it by hostname, you will need to create a Certificate for that PTP virtual hostname

Regards,

Jay

Hi Jay,

Thank you for your explaination.

regarding of what your said : "The reason PTP configuration using port is recommended is because if you do it by hostname, you will need to create a Certificate for that PTP virtual hostname"

So based on the guide of PTP there are 2 methods doing PTP in SA : Via an SA port and Via external DNS resolution.

So do you mean using Via port method in SA is better recomended then using Via external DNS resolution ?