About Access Gateway DNS use
To correctly deploy Access Gateway, we must understand how it uses Domain Name Services, or DNS.
Access Gateway acts as a reverse proxy. In general, a reverse proxy is a server that sits in front of web servers, intercepting requests from clients. and forwarding those requests to back end web servers. Access Gateway must then be able to resolve addresses both available to the general public (external) and behind the customers firewall (internal). As a result of Access Gateway behaving as a reverse proxy, it may share hostnames with the application servers. For example peoplesoft.example.com might be what the Peoplesoft deployment team uses internally behind Access Gatewayas well as what Access Gatewaypublic domain would be. The gateway would then reverse proxy any requests to the actual Peoplesoft application.
In the DNS architecture diagram, this example would be represented as:
- app-external.mysite.mycompany.com - this is the name that the end user would you to access that application. The DNS for this name would resolve to the Access Gateway instance. This could also be the same name used internally but need not be.
- app-internal - represents the actual protected web application, the actual Peoplesoft application.
In this example Access Gateway and the external application resolve to the same IP address.
Lets examine the ways Access Gateway uses IP addresses.
External or public/customer facing DNS entries represent the URL that a customer would enter to access an application.
As previously stated, an example might be peoplesoft.mysite.company.com.
External DNS entries:
- Are defined in public DNS and are resolvable by anyone.
- Must be resolvable by Access Gateway.
- Are shown in the diagram as app-external[.mysite.company.com].
- Resolve to the IP address of Access Gateway, or a load balancer if required.
- Are defined in applications by Access Gateway Public Domain application field.
Internal DNS are private entries are represent the back-end applications being protected by Access Gateway.
An example might be peoplesoft.protected.com.
- Are defined in a private DNS and typically only resolvable behind an organizations firewall.
- Must be resolvable by Access Gateway.
- Are shown in the diagram as app-internal*.
- Are defined in applications by the Access Gateway Protected Web Resource application field.
A third class of entries are reserved DNS names and represented by the /etc/hosts, DNS:gw-admin[.mysite.company.com] and DNS.gw.[mysite.company.com] entries.
- /etc/hosts:admin represents an entry in your local hosts file (/etc/hosts on *nix variants) and c:\Windows\System32\drivers\etc\hosts under Windows).
This entry is required for initial configuration of Access Gateway and can be ignored or removed once initial deployment is complete.
- /etc/hosts:header represents a set of entries primarily used for testing and development. For example when creating a sample header application for testing.
Other examples might be proxy, policy or other test entries. These entries are typically ignored or discarded when moving from development to test or production.
- gw-admin[.mysite.company.com] represents the name of the Access Gateway administration instance and points to the IP address of the Access Gateway itself.
- gw.[mysite.mycompany.com], must also exist and point to the same IP address as gw-admin[.mysite.company.com].
Used by the admin GUI service to route configuration requests.
In high availability clusters there may be other DNS entries for the member nodes of the cluster, such as node1, node2 etc as required.
Access Gatewayapplications are independent of each other.
While your admin domain might be gw.example.com your header app could certainly be header.mycompany.com.
Not shown is the expected company.okta.com or company.oktapreview.com entries. These entries are used by Access Gateway when configuring an IDP but strictly part of Access Gateway DNS.
DNS entries and record types
DNS supports two record types:
- The A record maps a name to one or more IP addresses when the IP are known and stable.
- The CNAME record maps a name to another name.
Typically Access Gateway would use an A record for gateway addresses such as gw-admin.[mysite.company.com] and CNAME records, pointing to the gateway address for all external (app-external*[.mysite.company.com]) addresses.