Domain Name Routing
WARNING
Users may see a warning in their browsers that their connection may be insecure if the local domain name does not match the configured certificate.
Requiring users to connect to a loopback address in a browser (or other GUI applications) to access a web portal or service through the SealedTunnel is often not an intuitive or effective user experience.
To make SealedTunnel use easier, you can configure global DNS records or local routes (via your operating system's hosts file) to map loopback addresses to domain names (URLs).
Local Domain Name Routing
TIP
hosts files can easily be configured via group policies on Windows domains.
There are two ways to configure local domain name routing for client machines:
Loopback Address Variation
Loopback Address Variation is the simplest way to configure local domain name routing.
When configuring Binding Routes for your end users, map web portals to unique loopback addresses and specify port 443 as the port on all of them.
For example, if you have three web portals (e.g., an HR Portal, a Sales Portal, and a Code Repository Portal) all wrapped in the SealedTunnel, use a different address for each under the 127.*.*.* range with HTTPS port 443 so that browsers will use HTTPS by default.
For example:
| Portal | Mapping |
|---|---|
| HR | 127.0.0.1:443 |
| Sales | 127.0.0.2:443 |
| Code Repository | 127.1.0.1:443 |
Next, edit your hosts file and add the mappings for each portal to a domain name.
The hosts file can be found at the following locations:
C:\Windows\System32\drivers\etc\hosts/etc/hosts/private/etc/hostsFor example:
...
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 hr.example.com
127.0.0.2 sales.example.com
127.1.0.1 gitlab.example.com From now on, end users may simply use these URLs in their browser and their connections will be secured through the SealedTunnel behind the scenes.
Local Port Listening
Local Port Listening is an alternative method for configuring local domain name routing.
If you need to use a static loopback address for all of your Binding Routes, then use this paradigm.
First, it helps to construct a table of ports, hostnames, and listen addresses. The listen address is any unique address in the 127.*.*.* range.
For example:
| Portal | Mapping | Hostname | Listen Address |
|---|---|---|---|
| HR | 127.0.0.1:45 | hr.example.com | 127.65.43.21:443 |
| Sales | 127.0.0.1:886 | sales.example.com | 127.64.43.21:443 |
| Code Repository | 127.0.0.1:1329 | gitlab.example.com | 127.63.43.21:443 |
Next, edit your hosts file, mapping the listen address to the host name (domain name). The hosts file can be found at the following locations:
C:\Windows\System32\drivers\etc\hosts/etc/hosts/private/etc/hostsFor example:
...
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.65.43.21 hr.example.com
127.64.43.21 sales.example.com
127.63.43.21 gitlab.example.com Finally, route the traffic listened to on the listen address to the Binding Route.
Below are examples for different operating systems.
INFO
Instructions for macOS and Linux are coming soon.
For the HR Portal:
netsh interface portproxy add v4tov4 listenport=443 listenaddress=127.65.43.21 connectport=45 connectaddress=127.0.0.1For the Sales Portal:
netsh interface portproxy add v4tov4 listenport=443 listenaddress=127.64.43.21 connectport=886 connectaddress=127.0.0.1For the Code Repository:
netsh interface portproxy add v4tov4 listenport=443 listenaddress=127.63.43.21 connectport=1329 connectaddress=127.0.0.1This will route the HTTPS traffic sent to the domain name (e.g., sales.example.com) to port 443 on the listen address which routes the traffic to SealedTunnel Mapping Route (e.g., 127.0.0.1:45).
DNS A Record Routing
WARNING
All Binding Routes wishing to access resources via a DNS A Record must have the same loopback address and port configured on their individual Entrypoint configurations.
Pointing DNS A Records to mapped loopback addresses for resource access, such as web services, will allow all users with appropriate SealedTunnel access to use those resources directly without requiring changes to local hosts files on each Entrypoint.
Simply add A Records to your DNS configuration that correspond to the loopback address configured on all Binding Routes that wish to leverage the domain name.
At Xiid, we use this ourselves to access our internal resources: here is a real example!